Steffen Kaiser wrote: > On Wed, 18 Nov 2009, Seth Mattinen wrote: > >>>>> is there anywhere a web-interface for managing sieve-filters with >>>>> dovecot? >>> >>>> Beware that dovecot managesieve does not have any kind of security to >>>> prevent abuse if you open it to the outside world. >>> >>> Huh? >>> It has the same security as Dovecot itself: authentification with TLS. > >> The last time I checked dovecot managesieve has a denial of service >> potential of no limit to how much disk space it will let sieve consume. > > OK, but this is not related to "outside", you need a password to fill > the space and take the system down. >
So? That doesn't mean every logged in connection will be well behaved. Even a well meaning user could use a managesieve tool with a bug that brings your server down. Until dovecot managesieve figures out how to add some very basic DOS protection I wouldn't open it up to end users. I haven't looked at the code (too busy) but i can't imagine it would be an impossible task to add a fixed size per script (i.e. a couple megs) and maximum number of allowed scripts (like 50). ~Seth
