Re: [exim] Exim with Dovecot: Typical Misconfiguration Leads…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Graeme Fowler
Datum:  
To: exim-users
Betreff: Re: [exim] Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution
On Mon, 2013-05-06 at 16:16 -0400, Phil Pennock wrote:
> This includes $h_* variables for looking at message headers, where
> there's even more flexibility for the attacker.


I'm slightly late to the list party on this one as I've been running
after errant racing cars all weekend, but (as I commented on the G+
thread for this) the default configuration's RCPT ACL would reject an
inbound email address containing backticks as being invalid.

This does not absolve the "use_shell" option of its risk, but does
mitigate it somewhat.

Graeme