[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup

Frerich Raabe raabe at froglogic.com
Tue Jul 30 15:55:06 EEST 2013


I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently 
made aware of the fact that the way in which Exim invokes dovecot-lda is 
prone to code injection:

   driver = pipe
   command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda 
-f \$sender_address

I.e. a command is executed via the shell, and Exim uses non-sanitized 
user input (mail header fields) to construct the command.

Now, the reason I invoked dovecot like that is to pass a plausible 
value for the HOME environment variable, so that dovecot-lda can 
determine where the Maildir directory of the recipient is. Is there any 
way to achieve this without requiring HOME to be set correctly? I looked 
at the -m switch but as far as I can see that merely defines the 
destination mailbox, but not the path to the Maildir directory, correct?

Frerich Raabe - raabe at froglogic.com
www.froglogic.com - Multi-Platform GUI Testing

More information about the dovecot mailing list