Hey list,
I have a setup with postfix-2.9.3,1 using virtual users from a
postgresql database. A thought suddenly occurred to me, what if
someone tries to send email to a user like this: '; drop table
mailbox;'
Does postfix properly escape fields when querying a sql database? My
virtual-users configuration is below.
virtual_mailbox_base = /usr/local/vmail
virtual_minimum_uid = 26
virtual_uid_maps = static:26
virtual_gid_maps = static:6
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
virtual_mailbox_domains =
proxy:pgsql:/usr/local/etc/postfix/sql/virtual_domains_maps
virtual_alias_maps =
proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_maps,
proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_maps,
proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_catchall_maps
virtual_mailbox_maps =
proxy:pgsql:/usr/local/etc/postfix/sql/virtual_mailbox_maps,
proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_mailbox_maps
And in /usr/local/etc/postfix/sql/virtual_mailbox_maps:
user = dbuser
password = dbpass
hosts = /tmp
dbname = mail
query = SELECT maildir FROM mailbox WHERE username='%s' AND active IS TRUE
Now I see that it quotes the username, but if someone tries SQL
injection, this could still be an issue.
Thank you.
