I built my QMT a couple of years ago on CentOS 7, and spot checking I see that softlimits are already applied in the following supervise startup scripts:
/var/qmail/supervise/smtp/run /var/qmail/supervise/submission/run /var/qmail/supervise/smtps/run Additionally, I have a reasonable value in /var/qmail/control/databytes (I'm 99% certain that QMT sets a value here by default.) So, as far as I can tell, the RCE issues are already mitigated in relatively recent QMT installs. If I am reading the CVE correctly, all of the RCE vulnerabilities can be mitigated by having a reasonable value in /var/qmail/control/databytes Have you checked your deployed systems? I need to dig into how qmail-local is being called, so I can figure out whether it has softlimits yet, but I need to get my kids to school. :) -Chris On Tue, May 26, 2020 at 6:07 AM Quinn Comendant <[email protected]> wrote: > Hello all, > > I just came across this security bulletin that affects qmail: > > https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt > > “TLDR: In 2005, three vulnerabilities were discovered in qmail but were > never fixed because they were believed to be unexploitable in a default > installation. We recently re-discovered these vulnerabilities and were > able to exploit one of them remotely in a default installation.” > > If I understand correctly, it can be mitigated by: > > - using softlimit to restrict process memory limit, even on qmail-local > - configure databytes to limit email message size. > > or by applying the patches included in the article linked above. > > Is this patch something that should be included in QMT? > > How to add soft limit to qmail-local? > > Quinn
