Frerich Raabe
2013-Jul-30 12:55 UTC
[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
Hi, I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently made aware of the fact that the way in which Exim invokes dovecot-lda is prone to code injection: dovecot_virtual_delivery: driver = pipe command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda -f \$sender_address use_shell .. I.e. a command is executed via the shell, and Exim uses non-sanitized user input (mail header fields) to construct the command. Now, the reason I invoked dovecot like that is to pass a plausible value for the HOME environment variable, so that dovecot-lda can determine where the Maildir directory of the recipient is. Is there any way to achieve this without requiring HOME to be set correctly? I looked at the -m switch but as far as I can see that merely defines the destination mailbox, but not the path to the Maildir directory, correct? -- Frerich Raabe - raabe at froglogic.com www.froglogic.com - Multi-Platform GUI Testing
Frerich Raabe
2013-Jul-30 13:09 UTC
[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
On 2013-07-30 14:55, Frerich Raabe wrote:> Now, the reason I invoked dovecot like that is to pass a plausible > value for the HOME environment variable, so that dovecot-lda can > determine where the Maildir directory of the recipient is....for the sake of completeness: this stems from the fact that I use mail_location = maildir:~/Maildir in my dovecot.conf -- Frerich Raabe - raabe at froglogic.com www.froglogic.com - Multi-Platform GUI Testing
Timo Sirainen
2013-Aug-02 12:25 UTC
[Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote:> Hi, > > I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently > made aware of the fact that the way in which Exim invokes dovecot-lda is > prone to code injection: > > dovecot_virtual_delivery: > driver = pipe > command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda > -f \$sender_address > use_shell > .. > > I.e. a command is executed via the shell, and Exim uses non-sanitized > user input (mail header fields) to construct the command. > > Now, the reason I invoked dovecot like that is to pass a plausible > value for the HOME environment variable, so that dovecot-lda can > determine where the Maildir directory of the recipient is. Is there any > way to achieve this without requiring HOME to be set correctly? I looked > at the -m switch but as far as I can see that merely defines the > destination mailbox, but not the path to the Maildir directory, correct?Maybe set mail_home = /home/vmail/%n ?