Secure IMAP server

Security

I've advertised Dovecot as a secure IMAP server for the past few years now. I don't think any software should be claimed to be secure unless it can be backed up in some way. So now that Dovecot 1.0 beta is finally out, I think it's time for me to finally do that.

I'm offering 1000€ for the first person to demonstrate a remotely exploitable security hole in Dovecot.

Rules are basically:

• You'll have to point out a way for one user to get access to another user's mails without a valid password.
• The Dovecot installation and environment is typical enough that it can reasonably be expected to exist. This means:
  • No unbelievable dovecot.conf tweaks
  • No index file modifications by hand
  • But: All users can be under same system UID. login_chroot=no and login_process_per_connection=no are allowed.
• The bug must be in the latest stable Dovecot release tarball.
• If the bug is outside Dovecot, it doesn't count (eg. OpenSSL or compiler bug). Sieve plugin isn't part of the official Dovecot release either.
• The bug must be shown to be exploitable, not be only theoretical. The "typical enough" rule above extends here as well.
• Proof of concept exploits don't count if the bug was already found by someone else..
• Follow the spirit of these rules, not their exact letter.

Even if you don't find any real problems, I'd still like to hear about potential problem cases in the code.

What's happened so far:

• 22 Jan 2006: The offer began.
• 12 May 2006: First actual security hole in Dovecot: Mailbox names list disclosure with mboxes. Since the mailboxes can't actually be opened, I don't consider this to fit the rules above.
• 19 Nov 2006: Second security hole in Dovecot: Off-by-one buffer overflow with mmap_disable=yes. Actual exploitability isn't known. If it is, it would have fit the rules.
• 30 Mar 2007: zlib plugin allows opening any gziped mboxes. I guess this would have fit the rules, although it's pretty rarely used.
• 1 Aug 2007: ACL plugin had some problems, but it barely counts as a security hole.
• 21 Dec 2007: Specific LDAP configuration with auth cache enabled may have caused users with same passwords to log in as each others.
• 4 Mar 2008: mail_extra_groups setting was often used insecurely.
• 9 Mar 2008: Blocking passdbs allowed to log in without a valid password in v1.0.11 and v1.0.12 (released 5 days ago).
• 1 Apr 2008: Buffer overflow in Boyer-Moore string searching code in v1.1 release candidates.
• Nov 2008: ACL plugin has mainly been used for some simple ACLs and sysadmin should have always tested that they work correctly. But as the ACL plugin has recently been developed more, bugs have been found and distro people have treated them as security holes. I think it's highly unlikely anyone really cared about those. The brokeness of the functionality would have been immediately obvious.
• 25 Mar 2009: Memory corruption in v1.2.betas.
• 13 Sep 2009: Security holes in CMU Sieve plugin. This is why I've kept the Sieve plugin in a separate package.
• 19 Nov 2009: v1.2 was creating base dir with 0777 permissions.
• 23 Jul 2010: v1.2 was copying INBOX ACLs to newly created mailboxes with Maildir.
• 1 Oct 2010: ACL plugin didn't handle multiple ACL entries correctly in v1.2.8+.