[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
Timo Sirainen
tss at iki.fi
Fri Aug 2 15:25:51 EEST 2013
On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote:
> Hi,
>
> I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently
> made aware of the fact that the way in which Exim invokes dovecot-lda is
> prone to code injection:
>
> dovecot_virtual_delivery:
> driver = pipe
> command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda
> -f \$sender_address
> use_shell
> ..
>
> I.e. a command is executed via the shell, and Exim uses non-sanitized
> user input (mail header fields) to construct the command.
>
> Now, the reason I invoked dovecot like that is to pass a plausible
> value for the HOME environment variable, so that dovecot-lda can
> determine where the Maildir directory of the recipient is. Is there any
> way to achieve this without requiring HOME to be set correctly? I looked
> at the -m switch but as far as I can see that merely defines the
> destination mailbox, but not the path to the Maildir directory, correct?
Maybe set mail_home = /home/vmail/%n ?
More information about the dovecot
mailing list