[gfs]

> “The feedback from my team was a issue with the Ansible playbook that controls the Nginx configuration for our IMAP servers,” Carter said, noting that this incorrect configuration was put in place by a former employee and never caught.

Even if this were true, that is a pathetic response.

[toomuchtodo]

This would've been found in even the most cursory of penetration tests performed by a competent practitioner. I am curious if any have been done.

[blincoln]

That's a very valid concern, but the larger one for me is that it implies that their IMAP servers are sitting right on the internet (no firewall/load-balancer/reverse proxy/whatever), or that they've automated their infrastructure so much that network-level security controls are essentially bypassed because any services in the Ansible definition are assumed to be authorized/intentional, or that someone intentionally added this one as a ham-fisted backdoor into customer email.

[dylan604]

It also needs to be part of any regression testing against new releases. Doing it once against current code does nothing other than say "right now we're okay". I know. I've personally been burned by assumption that what was tested previously is assumed to still be good now.