[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
Frerich Raabe
raabe at froglogic.com
Tue Aug 20 03:12:04 EEST 2013
On 2013-08-02 14:25, Timo Sirainen wrote:
> On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote:
>> I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently
>> made aware of the fact that the way in which Exim invokes
>> dovecot-lda is
>> prone to code injection:
>>
>> dovecot_virtual_delivery:
>> driver = pipe
>> command = HOME=/home/vmail/\$local_part
>> /usr/lib/dovecot/dovecot-lda
>> -f \$sender_address
>> use_shell
>> ..
>>
>> I.e. a command is executed via the shell, and Exim uses
>> non-sanitized
>> user input (mail header fields) to construct the command.
>>
>> Now, the reason I invoked dovecot like that is to pass a plausible
>> value for the HOME environment variable, so that dovecot-lda can
>> determine where the Maildir directory of the recipient is. Is there
>> any
>> way to achieve this without requiring HOME to be set correctly? I
>> looked
>> at the -m switch but as far as I can see that merely defines the
>> destination mailbox, but not the path to the Maildir directory,
>> correct?
>
> Maybe set mail_home = /home/vmail/%n ?
Sorry for the late reply, I totally forgot to follow-up on this.
Setting mail_home
didn't seem to help (according to 'doveadm user' the home directory was
already
computed corretly). It turned out that what *did* help was to pass '-d
$local_part'
to dovecot-lda. Apparently that makes it do a userdb lookup which in
turn makes it
figure out the home directory.
--
Frerich Raabe - raabe at froglogic.com
www.froglogic.com - Multi-Platform GUI Testing
More information about the dovecot
mailing list