[Zope-Annce] SECURITY WARNING: Don't use the Zope 3 sendmail mailer

Jim Fulton jim at zope.com
Fri Jul 29 16:31:43 EDT 2005


There is a feature in Zope 3, called the "sendmail" mailer, which is
not enabled by default, for using a shell command to invoke a mailer
to send mail. (The name comes from the popular Unix mailer
sendmail, which is often invoked as a sub-process.) Invoking a shell
from a server program is a potential serious security hole.  This
feature can be enabled with a ZCML directive like:

   <mail:queuedService permission="zope.SendMail"
                       queuePath="./queue"
                       mailer="sendmail" />

If you have added a directive like this to your configuration,
you should remove it or change it to use the smpt mailer:

   <mail:queuedService permission="zope.SendMail"
                       queuePath="./queue"
                       mailer="smtp" />

This feature will be removed in future versions of Zope, including
Zope 3.1, and 3.0.2 (if there is a 3.0.2).

If you gave questions about this, please send them to the Zope 3
users list, zope3-users at zope.org.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org


More information about the Zope-Announce mailing list