CVE-2022-24732

Name of the Vulnerable Software and Affected Versions maddy versions prior to 0.5.4

Description The issue concerns the Maddy Mail Server, an open source SMTP compatible email server. It does not implement password expiry or account expiry checking when authenticating using PAM. This affects configurations using auth.pam on versions prior to 0.5.4. Users are advised to upgrade to address the issue. For those unable to upgrade, manually removing expired accounts via existing filtering mechanisms is recommended.

Recommendations For versions prior to 0.5.4, upgrade to version 0.5.4 or later to resolve the issue. As a temporary workaround, consider replacing auth.pam with auth.shadow if /etc/shadow authentication is used. Alternatively, blacklist expired accounts via existing filtering mechanisms, such as using auth map to invalid accounts in storage.imapsql.