On 20.5.2014, at 22.49, Andreas Schulze <s...@andreasschulze.de> wrote:
> Jiri Bourek: >> Well they seem to know what they are talking about. The description >> of the threat in linked screenshot says "attacker needs to have >> ability to submit any plain text" > > I wrote the attached patch to add SSL_OP_NO_COMPRESSION to dovecot. > Looks not perfect but definitly works. Added a Postfix-like ssl_options setting: http://hg.dovecot.org/dovecot-2.2/rev/cea292767b95 But now I'm wondering if no-compression should be enabled by default?..
