Any configuration on any maddy version <0.5.4 using auth.pam is affected.
No password expiry or account expiry checking is done when authenticating using PAM.
Patch is available as part of the 0.5.4 release.
If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.
It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/foxcpp/maddy | lt | 0.5.4 |