Dovecot v2.2.7 released

[Arieh]

Dovecot v2.2.7 released

* Some usage of passdb checkpassword could have been exploitable by
local users. You may need to modify your setup to keep it working.
See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security

+ auth: Added ability to truncate values logged by
auth_verbose_passwords (see 10-logging.conf comment)
+ mdbox: Added "mdbox_deleted" storage, which can be used to access
messages with refcount=0. For example: doveadm import
mdbox_deleted:~/mdbox "" mailbox inbox subject oops
+ ssl-params: Added ssl_dh_parameters_length setting.
- master process was doing a hostname.domain lookup for each created
process, which may have caused a lot of unnecessary DNS lookups.
- dsync: Syncing over 100 messages at once caused problems in some
situations, causing messages to get new UIDs.
- fts-solr: Different Solr hosts for different users didn't work.

On 3.11.2013, at 22.08, Timo Sirainen <[email protected]> wrote:

> * Some usage of passdb checkpassword could have been exploitable by
> local users. You may need to modify your setup to keep it working.
> See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security

Oh, forgot to mention here: This problem was found by the cPanel people (cPanel uses checkpassword). They also reserved CVE-2013-6171 for this.

 

[DirectAdmin Support]

Added to custombuild on files1.

John

 

[gsdiradmin]

John,

is custom modification urgent as described in link in first post ?

thanks

 

[DirectAdmin Support]

Hello,

I don't believe we use "checkpassword" for authentication, which appears to be an interface to external authentication scripts.
We use dovecot built-in authentication mechanisms.

John

 

[Tristan]

Getting lots of these errors now with this latest version in combination with pigeonhole (on Debian 7.1):

Nov 18 14:32:45 server22 dovecot[28771]: lmtp(29023, [email][email protected][/email]): Error: Z9GKF/kWilJfcQAAt4jBDg: sieve: binary save: failed to create temporary file: open(/var/lib/dovecot/sieve/default.svbin.server22.prism.nl.29023.) failed: Permission denied (euid=1035(dtestmadmin) egid=8(mail) missing +w perm: /var/lib/dovecot/sieve, dir owned by 0:0 mode=0755)
Nov 18 14:32:45 server22 dovecot[28771]: lmtp(29023, [email][email protected][/email]): Error: Z9GKF/kWilJfcQAAt4jBDg: sieve: the lda sieve plugin does not have permission to save global sieve script binaries; global sieve scripts like /var/lib/dovecot/sieve/default.sieve;name=main script need to be pre-compiled using the sievec tool
Nov 18 14:32:46 server22 dovecot[28771]: lmtp(29023, [email][email protected][/email]): Z9GKF/kWilJfcQAAt4jBDg: sieve: msgid=<314b172955ab583e9013524fb7b5c5fcacb.20131118112732@mail.extserver.net>: stored mail into mailbox 'INBOX'

Any ideas?

 

[nobaloney]

Have you resolved this yet? Is it working in spite of errors, or not?

Anyone else seeing errors?

Jeff

 

[Tristan]

Not yet, since we're getting the same errors for v2.2.6 and v2.2.8 I posted this problem here now:

http://forum.directadmin.com/showthread.php?t=47790&p=245140#post245140