Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 40 million developers.Sign up
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
- switch default configuration to maildir
- allow mbox to deliver to users without requiring privileges in the daemon
- allow lmtp to receive sender/recipient in environment
THIS IS A CRITICAL SECURITY BUGFIX RELEASE
Fix possible privilege escalation found by Qualys.
Changes in this release (since 6.6.0p1)
This is a bugfix release. No new features were added.
- Fixed crash on recipient expansion #968
- Fixed broken build with LibreSSL #944
- Fixed crash in
arc4randomcaused by differences in OpenSSL vs LibreSSL compatibility layer plumbing #958
- Fixed issue where
from anyrules never matched by IPv6 sources #969
- Fixed crash that happened during mail relay on musl distros #929
- Fixed multiple compilation warnings
#965 #966 #967 #978 #977 #975
release synchronized to 6.6.1 bump in the OpenBSD tree.
This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0.
It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. In addition, the features parity is not respected,
some features will not be available with OpenSSL, like ECDSA server-side
certificates support in this release. OpenSSL library is considered as a
best effort target TLS library and provided as a commodity, LibreSSL has
become our target TLS library.
Changes in this release (since 6.4.0):
- various improvements to documentation and code
- reverse dns session matching criteria added to smtpd.conf(5)
- regex table lookup support added to smtpd.conf(5)
- introduced support for ECDSA certificates with an ECDSA privsep engine
- introduced builtin filters for basic filtering of incoming sessions
- introduced option to deliver junk to a Junk folder in mail.maildir(8)
- fixed the smtp(1) client so it uses correct default port for SMTPS
- fixed an smtpd(8) crash on excessively large input
- ensured mail rejected by an LMTP server stay queued
- introduced a filters API to allow writing standalone filters for smtpd
- introduced proxy-v2 support allowing smtpd to operate behind a proxy