Skip to content

@poolpOrg poolpOrg released this Feb 24, 2020 · 215 commits to portable since this release

SECURITY RELEASE

An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

Assets 4

@poolpOrg poolpOrg released this Feb 10, 2020

  • switch default configuration to maildir
  • allow mbox to deliver to users without requiring privileges in the daemon
  • allow lmtp to receive sender/recipient in environment
Assets 5
Jan 28, 2020
bump version

@poolpOrg poolpOrg released this Jan 28, 2020 · 215 commits to portable since this release

THIS IS A CRITICAL SECURITY BUGFIX RELEASE

Fix possible privilege escalation found by Qualys.

Assets 4

@poolpOrg poolpOrg released this Nov 5, 2019 · 215 commits to portable since this release

Changes in this release (since 6.6.0p1)

This is a bugfix release. No new features were added.

  • Fixed crash on recipient expansion #968
  • Fixed broken build with LibreSSL #944
  • Fixed crash in arc4random caused by differences in OpenSSL vs LibreSSL compatibility layer plumbing #958
  • Fixed issue where from any rules never matched by IPv6 sources #969
  • Fixed crash that happened during mail relay on musl distros #929
  • Fixed multiple compilation warnings
    #965 #966 #967 #978 #977 #975
Assets 5

@poolpOrg poolpOrg released this Nov 5, 2019 · 2577 commits to portable since this release

release synchronized to 6.6.1 bump in the OpenBSD tree.

Assets 5
  • 6.6.0p1
  • eea3cfb
  • Compare
    Choose a tag to compare
    Search for a tag
  • 6.6.0p1
  • eea3cfb
  • Compare
    Choose a tag to compare
    Search for a tag

@poolpOrg poolpOrg released this Oct 26, 2019

Dependencies note:

This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0.

It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. In addition, the features parity is not respected,
some features will not be available with OpenSSL, like ECDSA server-side
certificates support in this release. OpenSSL library is considered as a
best effort target TLS library and provided as a commodity, LibreSSL has
become our target TLS library.

Changes in this release (since 6.4.0):

  • various improvements to documentation and code
  • reverse dns session matching criteria added to smtpd.conf(5)
  • regex table lookup support added to smtpd.conf(5)
  • introduced support for ECDSA certificates with an ECDSA privsep engine
  • introduced builtin filters for basic filtering of incoming sessions
  • introduced option to deliver junk to a Junk folder in mail.maildir(8)
  • fixed the smtp(1) client so it uses correct default port for SMTPS
  • fixed an smtpd(8) crash on excessively large input
  • ensured mail rejected by an LMTP server stay queued

Experimental features:

  • introduced a filters API to allow writing standalone filters for smtpd
  • introduced proxy-v2 support allowing smtpd to operate behind a proxy
Assets 2
Oct 13, 2019
Aug 2, 2019
version increase
Aug 2, 2019
You can’t perform that action at this time.