Skip to content
runout-at edited this page Jun 13, 2026 · 4 revisions

General

As noted in #272 there might be security issues in this code. It was written as a helpful utility in 2004 and has had minimal changes since then. Very little effort went in at the time to protect it against various security attacks. While we do eventually fix security issues we become aware of, we aren't bound by any SLAs, so fixes don't always happen quickly.

Patches to fix security issues will be accepted as time permits, but the code (especially the admin panel) certainly needs an overhaul, and that will only happen if someone with enough time and motivation steps up. In fact, a potential replacement for our aged PHP admin panel already exists. Meet veximpy!

In short:

  • If you are considering VExim, we advise you to at least have a look at other similar solutions as well.
  • If you are already using VExim, please consider taking extra steps to secure it.
  • If you're interested in contributing a rewrite, or participating in one, let us know
  • And of course, pull requests with bugfixes are always welcome!

Passwords

There was a discussion about passwords for users who should not be able to login. https://github.com/vexim/vexim2/pull/303

It might be unsafe for some software to use NULL-values or empty passwords or hashes. If this is used in a setup by intention the admin of this is responsible to do it in a safe way.

Piping to commands

Piping emails to commands is a big security issue!

We have a discussion about 'piping' users in PR #300 if you are interested in the details. It's very likely that this user type will be removed from Vexim completely.

Other approaches to inject emails into other software

Fetchmail should be easily usable with any software. Eg RT Request Tracker https://rt-wiki.bestpractical.com/wiki/ManualEmailConfig

Redmine brings a configuration option to fetch emails from IMAP. https://www.redmine.org/projects/redmine/wiki/RedmineReceivingEmails

Dovecot Use the LMTP transport instead.

Clone this wiki locally