Hi,
I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently made aware of the fact that the way in which Exim invokes dovecot-lda is prone to code injection:
dovecot_virtual_delivery: driver = pipe command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda -f \$sender_address use_shell ..
I.e. a command is executed via the shell, and Exim uses non-sanitized user input (mail header fields) to construct the command.
Now, the reason I invoked dovecot like that is to pass a plausible value for the HOME environment variable, so that dovecot-lda can determine where the Maildir directory of the recipient is. Is there any way to achieve this without requiring HOME to be set correctly? I looked at the -m switch but as far as I can see that merely defines the destination mailbox, but not the path to the Maildir directory, correct?
-- Frerich Raabe - raabe@froglogic.com www.froglogic.com - Multi-Platform GUI Testing