On Nov 22, 2005, at 8:50 PM, John Simpson wrote:
vpopmail isn't the cause of this problem- you're simply running into the limit of what qmailadmin allows the user to do. it probably wouldn't take much for them to add the ability to enter arbitrary lines (including "|" lines) but they haven't done it- probably because very few people need it.

Actually, it was possible during some development releases, but we realized that it opened up a big security hole. Since the .qmail file is run as the vpopmail user, it would be very dangerous to allow a user to put anything in there. A malicious user could delete ~vpopmail/domains via their .qmail file or even have the contents of ~vpopmail/etc/vpopmail.mysql emailed to them.

there's also the fact that this would expose another bug (or poor design decision) in vpopmail- when vpopmail is tied to mysql, the "valias" table (which contains the lines normally stored in .qmail-* files) have no sequence field- so if you have a .qmail file which requires a definite sequence (i.e. runs "condredirect" on one line, and then something else after it) and store those lines in the mysql "valias" table, there would be no guarantee that the "condredirect" line would be run first.

A poor design decision that at least I've been aware of for awhile, but haven't had time to address. Simply adding an auto-increment field to that table and sorting on it would be a good start.

Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet: sniffter.com

Reply via email to