A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html https://github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38