During our research into the security of email servers at Münster
University of Applied Sciences, we found a command injection
vulnerability related to STARTTLS in Dovecot. See the attached
advisory for details.
The vulnerability allows a MITM attacker between a mail client and
Dovecot to inject unencrypted commands into the encrypted TLS
context, redirecting user credentials and mails to the attacker. An
attacker needs to have sending permissions on the Dovecot server.
We have also attached a test script (buftest.py) for you to reproduce this
vulnerability yourself. Usage is pretty simple, call:
python3 buftest.py <hostname> --smtp --smtp-port <port>
and watch the output, it should tell you if the server is still
vulnerable. Call the script without parameters for more usage information.
A MITM attacker can potentially steal SMTP user credentials and mails.