Care needed when combining Exim and Dovecot
A commonly used method of coupling the Exim and Dovecot mail server programs results in a serious security hole that allows attackers to inject and execute code. Penetration testers at RedTeam Pentesting came across the issue when performing tests for customers and established that it is caused by an officially recommended, but problematic configuration.
The Exim mail server often uses the Dovecot POP and IMAP server for delivering local emails; in such configurations, Dovecot acts as the "Local Delivery Agent". Setting the use_shell
parameter in the Exim configuration – as suggested in documents such as the Dovecot wiki – creates a security hole. For example, it could allow attackers to compose a sender address that will cause Dovecot to execute embedded shell commands when delivering the email. The shell commands, in turn, could use a component such as wget to download and then execute a program from the internet.
To avoid this, admins should remove the use_shell
option from their transport configurations. The maintainers of the Dovecot wiki have already done so on their sample pages.
(djwm)