Dovecot logo

The latest release of the Dovecot IMAP server (2.2.16) is vulnerable to a remote denial of service (DoS) and has been assigned CVE-2015-3420.

Hanno Böck, who found the vulnerability, reports that the  imap-login process can be remotely terminated on a handshake failure.

The vulnerability can be triggered by trying to establish a SSLv3 connection to a dovecot server having disabled that option.

It has been advised to disable the use of SSLv3 in favor of TLS since the POODLE attack.