[Dovecot] dovecot: disable ssl compression

Timo Sirainen tss at iki.fi
Thu Jul 3 19:50:59 UTC 2014


On 20.5.2014, at 22.49, Andreas Schulze <sca at andreasschulze.de> wrote:

> Jiri Bourek:
>> Well they seem to know what they are talking about. The description
>> of the threat in linked screenshot says "attacker needs to have
>> ability to submit any plain text"
> 
> I wrote the attached patch to add SSL_OP_NO_COMPRESSION to dovecot.
> Looks not perfect but definitly works.

Added a Postfix-like ssl_options setting: http://hg.dovecot.org/dovecot-2.2/rev/cea292767b95

But now I'm wondering if no-compression should be enabled by default?..



More information about the dovecot mailing list