Update the mail/dovecot to 1.0.b8, which addresses numerous problems
(including proper kqueue support -- that means us, BSD folks! ;) ),
the most important of which is a security hole (individuals are
allowed to list other users' mailboxes).
I've labelled this as serious/medium because of the security hole.
Official changelog between b7 and b8 is as follows:
* Fixed a security hole with mbox: "1 LIST .. *" command could
list all directories and files under the mbox root directory, so
if your mails were stored in eg. /var/mail/%u/ directory, the
command would list everything under /var/mail.
+ Unless nfs_check=no or mmap_disable=yes, check for the first login
if the user's index directory exists in NFS mount. If so, refuse to
run. This is done only on first login to avoid constant extra
+ If we have plugins set and imap_capability unset, figure out the
IMAP capabilities automatically by running imap binary at startup.
The generated capability list isn't updated until Dovecot is
restarted completely, so if you add or remove IMAP plugins you
should restart. If you have problems related to this, set
imap_capabilities setting manually to work around it.
+ Added auth_username_format setting
- pop3_lock_session setting wasn't really working
- Lots of fixes related to quota handling. It's still not working
- Lots of index handling fixes, especially with mmap_disable=yes
- Maildir: saving mails could have sometimes caused "Append with UID
n, but next_uid = m" errors
- flock() locking never timeouted because ignoring SIGALRM caused the
system call just to be restarted when SIGALRM occurred (probably not
with all OSes though?)
- kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman
Fix: Apply below patch.
Awaiting maintainers feedback
This patch looks fine, please commit.
I'll take it.
Committed, with minor changes. Thanks!