On 12/03/2015 01:46 PM, sb wrote: > From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt >> Login referrals are an IMAP extension specified by RFC 2221 >> [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by >> many >> clients, so you probably don't want to use them normally. > Right. >> The following clients are known to support login referrals: >> >> * Pine >> * Outlook (but not Outlook Express) > We use neither. >> Login referrals are used only if the proxy field isn't set. > We want neither LOGIN-REFERRALS nor proxy. > > Dovecot's configure includes the following by default: >> capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID >> ENABLE IDLE" > If the extension is simply hidden from the banner, an attacker could > still use the extension.
If the connection is SSL/TLS encrypted, the attacker can't add/modify login referrals. If it's not encrypted, the attacker could just as well insert the LOGIN-REFERRALS to the CAPABILITY reply if it didn't exist there. > If one removes the string from the banner above, one merely hides the > extension name > in the banner, or also disables the extension's engine? As long as Dovecot doesn't return any login-referrals (which it doesn't by default), I don't see why having LOGIN-REFERRALS in the CAPABILITY reply would matter.
