On Nov 22, 2005, at 8:50 PM, John Simpson wrote:
vpopmail isn't the cause of this problem- you're simply running into
the limit of what qmailadmin allows the user to do. it probably
wouldn't take much for them to add the ability to enter arbitrary
lines (including "|" lines) but they haven't done it- probably because
very few people need it.
Actually, it was possible during some development releases, but we
realized that it opened up a big security hole. Since the .qmail file
is run as the vpopmail user, it would be very dangerous to allow a user
to put anything in there. A malicious user could delete
~vpopmail/domains via their .qmail file or even have the contents of
~vpopmail/etc/vpopmail.mysql emailed to them.
there's also the fact that this would expose another bug (or poor
design decision) in vpopmail- when vpopmail is tied to mysql, the
"valias" table (which contains the lines normally stored in .qmail-*
files) have no sequence field- so if you have a .qmail file which
requires a definite sequence (i.e. runs "condredirect" on one line,
and then something else after it) and store those lines in the mysql
"valias" table, there would be no guarantee that the "condredirect"
line would be run first.
A poor design decision that at least I've been aware of for awhile, but
haven't had time to address. Simply adding an auto-increment field to
that table and sorting on it would be a good start.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet:
sniffter.com
