How do we disable LOGIN-REFERRALS? (part 2)
sb
serbr at runbox.com
Thu Dec 3 17:57:23 UTC 2015
Please amend the first paragraphs of
PasswordDatabase.ExtraFields.Host.txt as follows.
---cut here---
Login referrals are a server-side IMAP4 extension specified by RFC 2221.
Their purpose is to redirect clients to an different IMAP4 server in
case of
hardware failures or organizational changes. No client action is needed
to invoke the LOGIN-REFERRALS capability: the redirection is triggered
by the server and occurs transparently.
A security consideration is in order. As also stated by RFC 2221, a man
in the middle attack may use a rogue 'password catching' server to collect
login data and redirect your clients to their own rogue IMAP4 server.
Login referrals are not supported by many clients, so you probably don't
want to use them anyway.
Dovecot does not use login referrals by default.
[It would be useful at this point if you could add one sentence explaining
the purpose of the LOGIN-REFERRALS in the default capabilities banner.]
If you need them, please follow the instructions below.
---cut here---
Thank you.
More information about the dovecot
mailing list