Sagredo Qmail Remote Code Execution Vulnerability via Shell Injection in TLS Error Handler

A remote code execution vulnerability has been identified in Sagredo Qmail versions prior to 2026.04.07. The issue arises from a shell injection in the TLS error handler of the Qmail-remote component, specifically within the 'notlshosts_auto' control. This vulnerability allows an attacker who controls DNS for a domain the target server sends mail to, to execute arbitrary commands as the 'qmailr' user.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed commands running as the 'qmailr' user.

Reproduction

The vulnerability can be reproduced by enabling the 'control/notlshosts_auto' feature, which automatically creates a file in 'control/notlshosts/' for each domain the server sends mail to. An attacker can then send a crafted DNS response that includes malicious shell metacharacters, which will survive the DNS name processing and be injected into a command executed by the Qmail-remote component. This exploitation can be automated with a Python script that simulates the DNS spoofing and SMTP interaction required to trigger the vulnerability.

Remediation

Users can upgrade to Sagredo Qmail version 2026.04.07 or later, where this vulnerability has been fixed.