Hi, I have a question about OS command injection attack in forwarding e-mail to command.
Postfix alias database allows the following configuration. It forwards to e-mail to the specified command: alias: /path/to/command I think Postfix executes the following command (my guessing...): echo $e_mail | /path/to/command But e-mail is a kind of user inputted value. So I'm worried that Postfix might execute commands in a content of e-mail. Of course I believe Postfix doesn't execute command by user inputted value. But I couldn't find any evidences... -- Kousuke Ebihara
