Security News > 2020 > January > Serious Security – How ‘special case’ code blew a hole in OpenSMTPD
Well, if you do use OpenSMTPD, you need to make sure you're not vulnerable to a recently-disclosed bug that could let a crook take over your server simply by sending an email containing evil commands.
OpenSMTPD allows you to specify a command that it will use to handle the mail that it receives, whether that's email coming in from outside or messages that you're queuing up for delivering to other servers.
As you probably know, "Shelling out" to user-specified commands is risky, because the shell treats some characters in its list of parameters in a special way.
Ironically, even though OpenSMTPD correctly detects those text strings as dangerous, the rogue data gets allowed through to the command shell anyway because it's not followed by a domain name.
If you are using OpenSMTPD to accept mail from outsiders, then the bug is worse because users who don't even have accounts on your system, let alone who aren't logged in, can run commands on your server just by transmitting a sneakily-formatted email.