On 2013-08-02 14:25, Timo Sirainen wrote:
On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote:
I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently
made aware of the fact that the way in which Exim invokes
dovecot-lda is
prone to code injection:
dovecot_virtual_delivery:
On Tue, 2013-07-30 at 14:55 +0200, Frerich Raabe wrote:
> Hi,
>
> I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently
> made aware of the fact that the way in which Exim invokes dovecot-lda is
> prone to code injection:
>
> dovecot_virtual_delivery:
>driver = pipe
>comm
On 2013-07-30 14:55, Frerich Raabe wrote:
Now, the reason I invoked dovecot like that is to pass a plausible
value for the HOME environment variable, so that dovecot-lda can
determine where the Maildir directory of the recipient is.
...for the sake of completeness: this stems from the fact that
Hi,
I'm running Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently
made aware of the fact that the way in which Exim invokes dovecot-lda is
prone to code injection:
dovecot_virtual_delivery:
driver = pipe
command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda
-f \$sen
