maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.
Any configuration on any maddy version <0.5.4 using auth.pam is affected. No password expiry or account expiry checking is done when authenticating using PAM.
A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.
Impact This vulnerability affects maddy 0.5.1, 0.5.0 users using auth.shadow module and an extremely outdated system that still allows MD5 hashes in /etc/shadows. Patches Patch is available as part of the 0.5.2 release. Workarounds Ensure MD5 hashes are not present in /etc/shadow.
Impact Anyone using storage.blob.s3 introduced in 0.5.0 with storage.imapsql. storage.imapsql local_mailboxes { … msg_store s3 { … } } Patches The relevant commit is pushed to master and will be included in the 0.5.1 release. No special handling of the issue has been done due to the small amount of affected users. Workarounds None. References Original report: https://github.com/foxcpp/maddy/issues/395 Fix: https://github.com/foxcpp/maddy/commit/07c8495ee4394fabbf5aac4df8aebeafb2fb29d8