From bc2cf0b1052927f8b589e9e2a1f9251780e9e0f9 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Wed, 7 Dec 2016 10:18:06 -0200
Subject: Protects against roundcube mail() vulnerability

---
 templates/virtual/roundcube/config.inc.php.erb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/virtual/roundcube/config.inc.php.erb b/templates/virtual/roundcube/config.inc.php.erb
index fa4ed41..3205d70 100644
--- a/templates/virtual/roundcube/config.inc.php.erb
+++ b/templates/virtual/roundcube/config.inc.php.erb
@@ -44,7 +44,8 @@ $config['default_host'] = 'localhost';
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %z - IMAP domain (IMAP hostname without the first part)
 // For example %n = mail.domain.tld, %t = domain.tld
-$config['smtp_server'] = '';
+// See https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
+$config['smtp_server'] = 'localhost';
 
 // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
 // deprecated SSL over SMTP (aka SMTPS))
-- 
cgit v1.2.3