Skip to content
Choose a tag to compare
  • fixes a packaging issue causing asr.h to be installed in target system
  • fixes a possible crash in the MTA when establishing IPv6 connections
Choose a tag to compare

New Features:

  • Allowed use of the smtpd(8) session username in built-in filters when available.
  • Introduced a bypass keyword to smtpd(8) so that built-in filters can bypass processing when a condition is met.
  • Allowed use of 'auth' as an origin in smtpd.conf(5).
  • Allowed use of mail-from and rctp-to as for and from parameters in smtpd.conf(5).

Bug fixes:

  • Ensured legacy ssl(8) session ID is persistent during a client TLS session, fixing an issue using TLSv1.3 with
  • Fixed security vulnerabilities in smtpd(8). Corrected an out-of-bounds read in smtpd allowing an attacker to inject arbitrary commands into the envelope file to be executed as root, and ensured privilege revocation in smtpctl(8) to prevent arbitrary commands from being run with the _smtpq group.
  • Allowed mail.local(8) to be run as non-root, opening a pipe to lockspool(1) for file locking.
  • Fixed a security vulnerability in smtpd(8) which could lead to a privilege escalation on mbox deliveries and unprivileged code execution on lmtp deliveries.
  • Added support for CIDR in a: spf atoms in smtpd(8).
  • Fixed a possible crash in smtpd(8) when combining "from rdns" with nested virtual aliases under a particular configuration.

Experimental Features:

  • Introduced smtp-out event reporting.
  • Improved filtering protocol.
Choose a tag to compare


An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

Choose a tag to compare
  • switch default configuration to maildir
  • allow mbox to deliver to users without requiring privileges in the daemon
  • allow lmtp to receive sender/recipient in environment
Choose a tag to compare


Fix possible privilege escalation found by Qualys.

Choose a tag to compare

Changes in this release (since 6.6.0p1)

This is a bugfix release. No new features were added.

  • Fixed crash on recipient expansion #968
  • Fixed broken build with LibreSSL #944
  • Fixed crash in arc4random caused by differences in OpenSSL vs LibreSSL compatibility layer plumbing #958
  • Fixed issue where from any rules never matched by IPv6 sources #969
  • Fixed crash that happened during mail relay on musl distros #929
  • Fixed multiple compilation warnings
    #965 #966 #967 #978 #977 #975
Choose a tag to compare

release synchronized to 6.6.1 bump in the OpenBSD tree.

Choose a tag to compare

Dependencies note:

This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0.

It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. In addition, the features parity is not respected,
some features will not be available with OpenSSL, like ECDSA server-side
certificates support in this release. OpenSSL library is considered as a
best effort target TLS library and provided as a commodity, LibreSSL has
become our target TLS library.

Changes in this release (since 6.4.0):

  • various improvements to documentation and code
  • reverse dns session matching criteria added to smtpd.conf(5)
  • regex table lookup support added to smtpd.conf(5)
  • introduced support for ECDSA certificates with an ECDSA privsep engine
  • introduced builtin filters for basic filtering of incoming sessions
  • introduced option to deliver junk to a Junk folder in mail.maildir(8)
  • fixed the smtp(1) client so it uses correct default port for SMTPS
  • fixed an smtpd(8) crash on excessively large input
  • ensured mail rejected by an LMTP server stay queued

Experimental features:

  • introduced a filters API to allow writing standalone filters for smtpd
  • introduced proxy-v2 support allowing smtpd to operate behind a proxy