[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
Frerich Raabe
raabe at froglogic.com
Tue Jul 30 15:55:06 EEST 2013
Hi,
I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently
made aware of the fact that the way in which Exim invokes dovecot-lda is
prone to code injection:
dovecot_virtual_delivery:
driver = pipe
command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda
-f \$sender_address
use_shell
..
I.e. a command is executed via the shell, and Exim uses non-sanitized
user input (mail header fields) to construct the command.
Now, the reason I invoked dovecot like that is to pass a plausible
value for the HOME environment variable, so that dovecot-lda can
determine where the Maildir directory of the recipient is. Is there any
way to achieve this without requiring HOME to be set correctly? I looked
at the -m switch but as far as I can see that merely defines the
destination mailbox, but not the path to the Maildir directory, correct?
--
Frerich Raabe - raabe at froglogic.com
www.froglogic.com - Multi-Platform GUI Testing
More information about the dovecot
mailing list