Dovecot & gethostbyname() vulnerability
Timo Sirainen
tss at iki.fi
Wed Jan 28 15:37:36 UTC 2015
So just a quick note:
Dovecot in general doesn't do DNS lookups, except the ones in configuration files and such. So I don't think there are any Dovecot setups which do DNS lookups for untrusted hostnames.
Also, gethostbyname() is used only if IPv6 support isn't compiled into Dovecot. And IPv6 support is enabled by default if the libc is detected to support it, so pretty much all systems use it.
More information about the dovecot
mailing list