Hi Bucky, On 25 Jun 2020 07:12:27, Bucky Carr via spamdyke-users wrote: > Do you need to use 'softlimit'?
Yes, using softlimit to restrict process memory limit is useful, and in fact necessary to prevent this remotely-exploitable vulnerability in qmail: https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt “TLDR: In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. We recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.” The RCE can be mitigated by: - using softlimit to restrict process memory limit, even on qmail-local - configure databytes to limit email message size. or by applying the patches included in the article linked above. Quinn _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
