[Zope3-Users] SECURITY WARNING: Don't use the Zope 3 sendmail mailer
Jim Fulton
jim at zope.com
Fri Jul 29 16:31:23 EDT 2005
There is a feature in Zope 3, called the "sendmail" mailer, which is
not enabled by default, for using a shell command to invoke a mailer
to send mail. (The name comes from the popular Unix mailer
sendmail, which is often invoked as a sub-process.) Invoking a shell
from a server program is a potential serious security hole. This
feature can be enabled with a ZCML directive like:
<mail:queuedService permission="zope.SendMail"
queuePath="./queue"
mailer="sendmail" />
If you have added a directive like this to your configuration,
you should remove it or change it to use the smpt mailer:
<mail:queuedService permission="zope.SendMail"
queuePath="./queue"
mailer="smtp" />
This feature will be removed in future versions of Zope, including
Zope 3.1, and 3.0.2 (if there is a 3.0.2).
If you gave questions about this, please send them to the Zope 3
users list, zope3-users at zope.org.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-users
mailing list