On 7 Jun 2012, at 9:33, Schiz0 wrote:
Hey list,I have a setup with postfix-2.9.3,1 using virtual users from a postgresql database. A thought suddenly occurred to me, what if someone tries to send email to a user like this: '; drop table mailbox;' Does postfix properly escape fields when querying a sql database?
I can't answer that specific question, but Postfix does do syntax checking on recipient addresses so such an address would never get to the point of being fed to a SQL database.
