Skip to content
runout-at edited this page Jun 12, 2026 · 4 revisions

General

As noted in #272 there might be security issues in this code. It was written as a helpful utility in 2004 and has had minimal changes since then. Very little effort went in at the time to protect it against various security attacks. While we do eventually fix security issues we become aware of, we aren't bound by any SLAs, so fixes don't always happen quickly.

Patches to fix security issues will be accepted as time permits, but the code (especially the admin panel) certainly needs an overhaul, and that will only happen if someone with enough time and motivation steps up. In fact, a potential replacement for our aged PHP admin panel already exists. Meet veximpy!

In short:

  • If you are considering VExim, we advise you to at least have a look at other similar solutions as well.
  • If you are already using VExim, please consider taking extra steps to secure it.
  • If you're interested in contributing a rewrite, or participating in one, let us know
  • And of course, pull requests with bugfixes are always welcome!

Passwords

There was a discussion about passwords for users who should not be able to login. https://github.com/vexim/vexim2/pull/303

It might be unsafe for some software to use NULL-values or empty passwords or hashes. If this is used in a setup by intention the admin of this is responsible to do it in a safe way.

Clone this wiki locally