On Thu, 2008-11-13 at 15:57 +0200, Timo Sirainen wrote: > On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote: > > > Hi, > > > > we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is > > world readable - possible password exposure. > > > > This problem seems to be little more complicated than we thought. > > > > dovecot.conf can contain passphrase for ssl key, which is available > > for everyone since dovecot.conf has world readable permissions. > > Maybe a new separate dovecot-secret.conf? When Dovecot starts up it > first reads dovecot.conf and after that dovecot-secret.conf. deliver > wouldn't read dovecot-secret.conf at all.
Added !include and !include_try: http://hg.dovecot.org/dovecot-1.1/rev/5f471f5b06d2 http://hg.dovecot.org/dovecot-1.1/rev/313d1195318f deliver will currently just skip !include_try lines and gives an error if !include is tried to be used. So for now it's not a good idea to start using !include in default settings. :)
signature.asc
Description: This is a digitally signed message part