> > Vulnerability Details: > Having a large number of address headers (From, To, Cc, Bcc, etc.) > becomes excessively CPU intensive. With 100k header lines CPU usage is > already 12 seconds, and in a production environment we observed 500k > header lines taking 18 minutes to parse. Since this can be triggered by > external actors sending emails to a victim, this is a security issue. > > The main problem is that each header line's address is added to the end > of a linked list. This is done by walking the whole linked list, which > becomes more inefficient the more addresses there are. > > Workaround: > One can implement restrictions on address headers on MTA component > preceding Dovecot. >
I think sendmail users are in the clear, looks like the default is 32KB: define(`confMAX_HEADERS_LENGTH',num) If the entire MaxHeadersLength option is missing, the default is the value of the MAXHDRSLEN compile-time macro. The default for the mc configuration technique is 32768 bytes. https://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+24.+The+O+Options+Configuration+Command/MaxHeadersLength/ _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
