Hello,

we can reproduce a bug where lmtp crashes:

LMTP telnet session: Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 lisa.m-otion.at Dovecot ready. lhlo xyz 250-xyz.m-otion.at 250-8BITMIME 250-ENHANCEDSTATUSCODES 250 PIPELINING mail from:<xyz@m-otion.at> 250 2.1.0 OK rcpt to:<my_mailbox> 250 2.1.5 OK data 354 OK From:<xyz@m-otion.at>

test . Connection closed by foreign host.

/var/log/messages tells me: Nov 11 00:07:00 mail kernel: lmtp[15868]: segfault at 0000000000000000 rip 00002b1960d01d70 rsp 00007fff3fa95908 error 4

pigeonhole 0.4.2, dovecot 2.2.6

and this is what I found out: If you use a sieve script containing the following line notify :method "mailto" :options "xyz" :message "$from$*#+$subject$";

and send a mail without a Subject: header line lmtp crashes. The bug is related to the sieve module in /src/lib-sieve/plugins/notify/ext-notify-common.c:266. The line contains only a check if mail_get_headers_utf8 returns an error. So the workaround for this line would be to add a check if header[0] is not NULL.

                    if ( (mail_get_headers_utf8(msgdata->mail, "subject", &header) >= 0) && header[0] )
                             str_append(out_msg, header[0]);

IMHO this patch should be applied to the "$from$" replacement as well. The comments in the dovecot's header file says for mail_get_headers: Returns -1 if error, 0 otherwise (with or without headers found).

hope it helps,

Regards Christian Ferbar