http://www.h-online.com/open/news/item/Care-needed-when-combining-Exim-and-Dovecot-1856664.html
A commonly used method of coupling the Exim and Dovecot mail server programs results in a serious security hole that allows attackers to inject and execute code. Penetration testers at RedTeam Pentesting came across the issue when performing tests for customers and established that it is caused by an officially recommended, but problematic configuration.
To avoid this, admins should remove the use_shell option from their transport configurations. The maintainers of the Dovecot wiki have already done so on their sample pages.
I don't have time to check and test our config properly at the moment, so does anyone know if directadmin is vulnerable and what changes can be made if it is.
If I find out myself, I'll post it here.
A commonly used method of coupling the Exim and Dovecot mail server programs results in a serious security hole that allows attackers to inject and execute code. Penetration testers at RedTeam Pentesting came across the issue when performing tests for customers and established that it is caused by an officially recommended, but problematic configuration.
To avoid this, admins should remove the use_shell option from their transport configurations. The maintainers of the Dovecot wiki have already done so on their sample pages.
I don't have time to check and test our config properly at the moment, so does anyone know if directadmin is vulnerable and what changes can be made if it is.
If I find out myself, I'll post it here.