The file dovecot.conf is world readable by default. This poses a potential security issue if the ssl_key_password parameter is set. Any local user would be able to view the password used to protect the SSL key file. The dovecot.conf file does not need to be world readable, dovecot functions perfectly well with /etc/dovecot.conf not being world readable. Changing the default permissions of dovecot.conf to -rw-r---- (0640) would prevent this issue and has no impact on system functionality.
↧
