[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup

Timo Sirainen tss at iki.fi
Fri Aug 2 15:25:51 EEST 2013


On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote:
> Hi,
> 
> I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently 
> made aware of the fact that the way in which Exim invokes dovecot-lda is 
> prone to code injection:
> 
> dovecot_virtual_delivery:
>    driver = pipe
>    command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda 
> -f \$sender_address
>    use_shell
>    ..
> 
> I.e. a command is executed via the shell, and Exim uses non-sanitized 
> user input (mail header fields) to construct the command.
> 
> Now, the reason I invoked dovecot like that is to pass a plausible 
> value for the HOME environment variable, so that dovecot-lda can 
> determine where the Maildir directory of the recipient is. Is there any 
> way to achieve this without requiring HOME to be set correctly? I looked 
> at the -m switch but as far as I can see that merely defines the 
> destination mailbox, but not the path to the Maildir directory, correct?

Maybe set mail_home = /home/vmail/%n ?




More information about the dovecot mailing list