Directadmin vulnerable to dovecot security issue?

Netbulae

Verified User
Joined
May 8, 2009
Messages
7
http://www.h-online.com/open/news/item/Care-needed-when-combining-Exim-and-Dovecot-1856664.html

A commonly used method of coupling the Exim and Dovecot mail server programs results in a serious security hole that allows attackers to inject and execute code. Penetration testers at RedTeam Pentesting came across the issue when performing tests for customers and established that it is caused by an officially recommended, but problematic configuration.

To avoid this, admins should remove the use_shell option from their transport configurations. The maintainers of the Dovecot wiki have already done so on their sample pages.


I don't have time to check and test our config properly at the moment, so does anyone know if directadmin is vulnerable and what changes can be made if it is.

If I find out myself, I'll post it here.
 
okay thx thats the answer smtalk :)

but it seems that is the actually perl hacks are tuned old backdoors
 
We've started seeing these emails. I posted in Email forum, just realised this post.

Guess we are safe, as we do not use use_shell
 
DirectAdmin does not use LDA in exim.conf, but you should be careful if you used http://forum.directadmin.com/showthread.php?t=36710&p=182452#post182452 (just remove use_shell from exim.conf and restart exim to fix it).
I've commented the use_shell line in the code in that thread, and I've added a post to the bottom to let users know to remove it from their copy of exim.conf.

I use a much simpler method in my version of SpamBlocker4 for Dovecot Delivery (not yet generally available); it doesn't include the use_shell line. However it may not work with what that thread calls subaddresses; not tested.

Jeff
 
Slightly off-topic but I'm considering using Dovecot as delivery agent in next version of SpamBlocker, as more people are moving to IMAP and this puts filtering on the server where it needs to be.

Any thoughts on the matter?

Jeff
 
Back
Top