Re: [Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
On 2013-08-02 14:25, Timo Sirainen wrote: On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote: I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently made aware of the fact that the way in which Exim invokes dovecot-lda is prone to code injection: dovecot_virtual_delivery: driver = pipe command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda -f \$sender_address use_shell .. I.e. a command is executed via the shell, and Exim uses non-sanitized user input (mail header fields) to construct the command. Now, the reason I invoked dovecot like that is to pass a plausible value for the HOME environment variable, so that dovecot-lda can determine where the Maildir directory of the recipient is. Is there any way to achieve this without requiring HOME to be set correctly? I looked at the -m switch but as far as I can see that merely defines the destination mailbox, but not the path to the Maildir directory, correct? Maybe set mail_home = /home/vmail/%n ? Sorry for the late reply, I totally forgot to follow-up on this. Setting mail_home didn't seem to help (according to 'doveadm user' the home directory was already computed corretly). It turned out that what *did* help was to pass '-d $local_part' to dovecot-lda. Apparently that makes it do a userdb lookup which in turn makes it figure out the home directory. -- Frerich Raabe - ra...@froglogic.com www.froglogic.com - Multi-Platform GUI Testing
Re: [Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote: > Hi, > > I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently > made aware of the fact that the way in which Exim invokes dovecot-lda is > prone to code injection: > > dovecot_virtual_delivery: >driver = pipe >command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda > -f \$sender_address >use_shell >.. > > I.e. a command is executed via the shell, and Exim uses non-sanitized > user input (mail header fields) to construct the command. > > Now, the reason I invoked dovecot like that is to pass a plausible > value for the HOME environment variable, so that dovecot-lda can > determine where the Maildir directory of the recipient is. Is there any > way to achieve this without requiring HOME to be set correctly? I looked > at the -m switch but as far as I can see that merely defines the > destination mailbox, but not the path to the Maildir directory, correct? Maybe set mail_home = /home/vmail/%n ?
Re: [Dovecot] Calling dovecot-lda correctly from exim for virtual user setup
On 2013-07-30 14:55, Frerich Raabe wrote: Now, the reason I invoked dovecot like that is to pass a plausible value for the HOME environment variable, so that dovecot-lda can determine where the Maildir directory of the recipient is. ...for the sake of completeness: this stems from the fact that I use mail_location = maildir:~/Maildir in my dovecot.conf -- Frerich Raabe - ra...@froglogic.com www.froglogic.com - Multi-Platform GUI Testing
