Hey list, I have a setup with postfix-2.9.3,1 using virtual users from a postgresql database. A thought suddenly occurred to me, what if someone tries to send email to a user like this: '; drop table mailbox;' Does postfix properly escape fields when querying a sql database? My virtual-users configuration is below.
virtual_mailbox_base = /usr/local/vmail virtual_minimum_uid = 26 virtual_uid_maps = static:26 virtual_gid_maps = static:6 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/sql/virtual_domains_maps virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_maps, proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_maps, proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_catchall_maps virtual_mailbox_maps = proxy:pgsql:/usr/local/etc/postfix/sql/virtual_mailbox_maps, proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_mailbox_maps And in /usr/local/etc/postfix/sql/virtual_mailbox_maps: user = dbuser password = dbpass hosts = /tmp dbname = mail query = SELECT maildir FROM mailbox WHERE username='%s' AND active IS TRUE Now I see that it quotes the username, but if someone tries SQL injection, this could still be an issue. Thank you.