• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Dovecot CVE-2020-12100

The two or three bugs fixed with that update only cause issues under specific circumstances which are not in place in a standard installation and usage.
 
Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Vulnerable component: submission, lmtp, lda
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to
parse it.

Risk:
Malicious actor can cause denial of service to mail delivery by
repeatedly sending mails with bad
content.

Workaround:
Limit MIME structures in MTA.

Solution:
Upgrade to fixed version.
 
While that is true, actually the MTA (your smtp server) should already protect you from such mails.
 
All mail is processed through your local MTA. As far as I have read, Postfix limits the number of MIME parts to 100 by default. This can be controlled by the MIME nesting parameter as described in

Postfix Configuration Parameters

www.postfix.org

So it should not be possible to get a mail processed that has more than a hundred in the first place. I'll be rejected before it is processed by Dovecot.
 
You must log in or register to reply here.

Similar threads

J
Issue SELinux blocking dovecot from writing to passwd.db
Replies
0
Views
293
John Calvert
J
Boas Simon
Resolved Dovecot IMAP issues with Plesk Premium Email (Kolab)
Replies
7
Views
12K
Kaspar@Plesk
Kaspar@Plesk
J
Issue Plesk's authentication driver for dovecot is trying to write to the email accounts password file
Replies
5
Views
418
John Calvert
J
J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
1K
Yaroslav_T
Yaroslav_T
M
Question Are Plesk servers susceptible to TLS BREACH attacks? (cve-2013-3587)
Replies
1
Views
575
scsa20
scsa20
Back
Top