A security issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. An authenticated attacker could send an e-mail via the submission service with empty quoted localpart which would cause the submission or lmtp component to crash. An unauthenticated attacker could send an e-mail with a bad sender or recipient address, causing the e-mail to be passed to LMTP for delivery and then crash the LMTP component unless some kind of filtering has been set up on the MTA level.
A security issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. An authenticated attacker could send an e-mail via the submission service with empty quoted localpart which would cause the submission or lmtp component to crash. An unauthenticated attacker could send an e-mail with a bad sender or recipient address, causing the e-mail to be passed to LMTP for delivery and then crash the LMTP component unless some kind of filtering has been set up on the MTA level.
https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html https://github.com/dovecot/core/commit/063462d588eaea6f266596fae5f5470792dcc98d https://github.com/dovecot/core/commit/b34002a4ca301ed94cd944ee3504287ed7e58031 https://github.com/dovecot/core/commit/92d9690da195b6ceaa878ab1df6c7c31a75f63f8 https://github.com/dovecot/core/commit/cbab48f174580bfb8d49321d8d336f96a231b0cd