<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 16:44 Kevin A. McGrail via dovecot <
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 3/28/2019 10:40 AM, Aki Tuomi wrote:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
check for fts in mail_plugins. pop3-uidl is used by pop3_migration
</div>
<div>
plugin.
</div>
</blockquote>
<div>
Sorry if I'm dense but can you be more specific? Are you talking about
</div>
<div>
checking conf files or binary files?
</div>
<div>
<br>
</div>
<div>
For example, does the existence of
</div>
<div>
/usr/local/lib/dovecot/lib20_fts_plugin.so imply an exploitable situation?
</div>
<div>
<br>
</div>
<div>
Are their settings in a conf file that disable those plugins?
</div>
<div>
<br>
</div>
<div>
Regards,
</div>
<div>
<br>
</div>
<div>
KAM
</div>
</blockquote>
<div>
<br>
</div>
<div>
Plugin needs to be explicitly loaded in configuration.
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>