🎯Basically, DavMail fixed a security issue and improved how it connects to Microsoft services.
What Happened
This week, DavMail released version 6.6.0, which includes important updates for organizations using it to connect standard mail clients to Microsoft Exchange or Office 365. The update addresses a regex vulnerability identified through code scanning, modifies OAuth redirect handling, and implements various fixes across IMAP, SMTP, CalDAV, and CardDAV subsystems.
The Flaw
The regex vulnerability was found in the replaceIcal4Principal method. Regex-based parsing can be risky, particularly due to potential ReDoS (Regular Expression Denial of Service) attacks when processing input from attackers. To mitigate this risk, the new version replaces complex regex calls with simpler substring operations, effectively closing the security gap.
OAuth Redirect Issues
Additionally, Microsoft recently altered the behavior of its OIDC redirect endpoint, which affected DavMail's authentication flow. The update restores functionality by changing the default redirect URI to https://localhost/common/oauth2/nativeclient. This adjustment is vital for maintaining seamless user authentication.
Protocol Fixes
DavMail 6.6.0 also resolves two bugs related to IMAP RFC 3501 compliance. One bug impacted complex search queries utilizing a NOT condition, while the other ensured that envelope header values are correctly encoded for compatibility with various mail clients. On the SMTP side, the update allows sending multiple messages with the same message ID to different recipients, enhancing message handling capabilities.
Enhancements Across Other Protocols
In terms of CalDAV and CardDAV, the update introduces support for the VCARD4 birthday format and changes contact photo encoding to RFC 2397 data URL format. The CalDAV functionality now retrieves shared calendar addresses from the calendar mailbox, improving user experience.
Ongoing Development
The release also highlights ongoing work on the Microsoft Graph API backend, which is intended as a long-term replacement for the Exchange Web Services layer. While this backend is still in development and not yet ready for production, it includes enhancements for LDAP search, contact synchronization, and event handling.
Conclusion
These updates are crucial for organizations relying on DavMail, as they enhance security and improve functionality. Users are encouraged to upgrade to version 6.6.0 to benefit from these important changes.
🔒 Pro insight: The regex vulnerability fix significantly reduces the risk of ReDoS attacks, a critical improvement for organizations relying on DavMail.
