postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Is there potential OS command injection attac

Re: Is there potential OS command injection attack in forwarding e-mail to command?

From: Wietse Venema <wietse_at_nospam>
Date: Fri Oct 22 2010 - 12:45:06 GMT
To: Postfix users <postfix-users@postfix.org>

Kousuke Ebihara:
[sending email to a "|non-Postfix command" alias]
> Postfix might execute commands in a content of e-mail.

Postfix does not execute commands in the content of email messages.
Postfix creates the pipe, not the shell. For safety, Postfix has
a command_expansion_filter feature that cleans email addresses etc.
in environment variables.

Of course, you have to be careful with sending email messages into
non-Postfix commands, especially when those programs were not
written by someone with expertise in the handling of unsafe content.

        Wietse