Ok.
Good news: dbmail-3.1 is not affected. Apparently the problem only occurs in 3.2.0 and 3.2.1. It's definitely a regression. Bad news: if you use 3.2, you should apply the patch I pushed yesterday. The workaround offers no real protection, as Caspar correctly surmised. On 20-12-14 15:10, Casper Langemeijer wrote: > I imagined the capability string only was the advertised capabilities, > so I checked the source. Nowhere in the dbmail source I see that > CRAM-MD5 is actually disabled, but I could be missing the location. > Could dbmail still authenticate a malicious client? > _______________________________________________ > DBmail mailing list > DBmail@dbmail.org > http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail > -- ________________________________________________________________ Paul J Stevens pjstevns @ gmail, twitter, github, linkedin www.nfg.nl/i...@nfg.nl/+31.85.877.99.97 _______________________________________________ DBmail mailing list DBmail@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
