Found in my mail server logs:
MAIL FROM:<;for P in f W K 0 r S 5 T A u p 4 X E Q;do read;done;sh;exit 0;>
I guess thatās a command line injection attempt, aiming at mail servers passing sender address to a spam filter application without escaping. It installs crypto miners.
After ruling out Postfix as the potential target here, I found that Exim configuration has a use_shell setting for the pipe transport. That seems to be the vulnerable configuration here, and there is an older advisory on it (2013). https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution
So my suspicion about misconfigured spam filtering being the target was obviously wrong. It was far more mundane: the proposed configuration for integrating Dovecot with Exim used to be vulnerable. IMHO it being possible to misconfigure in this way is already ridiculousā¦
