-
Notifications
You must be signed in to change notification settings - Fork 48
Security
As noted in #272 there might be security issues in this code. It was written as a helpful utility in 2004 and has had minimal changes since then. Very little effort went in at the time to protect it against various security attacks. While we do eventually fix security issues we become aware of, we aren't bound by any SLAs, so fixes don't always happen quickly.
Patches to fix security issues will be accepted as time permits, but the code (especially the admin panel) certainly needs an overhaul, and that will only happen if someone with enough time and motivation steps up. In fact, a potential replacement for our aged PHP admin panel already exists. Meet veximpy!
In short:
- If you are considering VExim, we advise you to at least have a look at other similar solutions as well.
- If you are already using VExim, please consider taking extra steps to secure it.
- If you're interested in contributing a rewrite, or participating in one, let us know
- And of course, pull requests with bugfixes are always welcome!
There was a discussion about passwords for users who should not be able to login. https://github.com/vexim/vexim2/pull/303
It might be unsafe for some software to use NULL-values or empty passwords or hashes. If this is used in a setup by intention the admin of this is responsible to do it in a safe way.
Piping emails to commands is a big security issue!
We have a discussion about 'piping' users in PR #300 if you are interested in the details. It's very likely that this user type will be removed from Vexim completely.
Fetchmail should be easily usable with any software. Eg RT Request Tracker https://rt-wiki.bestpractical.com/wiki/ManualEmailConfig
Redmine brings a configuration option to fetch emails from IMAP. https://www.redmine.org/projects/redmine/wiki/RedmineReceivingEmails
Dovecot Use the LMTP transport instead.