Releases: OpenSMTPD/OpenSMTPD
OpenSMTPD 7.5.0p0
OpenSMTPD 7.5.0p0
OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases.
It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX.
The archives are now available from the main site at www.OpenSMTPD.org
We would like to thank the OpenSMTPD community for their help in testing the snapshots, reporting bugs, contributing code and packaging for other systems.
This is a major release with multiple bug fixes and new features.
Dependencies note:
This release builds with LibreSSL, or OpenSSL >= 1.1.
It's preferable to depend on LibreSSL as OpenSMTPD is written and tested with that dependency. OpenSSL library is considered as a best effort target TLS library and provided as a commodity, LibreSSL has become our target TLS library.
Changes in this release:
- Added support for RFC 7505 "Null MX" handling and treat an MX of "localhost" as it were a "Null MX".
- Allow inline tables and filter listings in smtpd.conf(5) to span over multiple lines.
- Enabled DSN for the implicit socket too.
- Added the
no-dsn
option for listen on socket too. - Reject headers that start with a space or a tab.
- Fixed parsing of the ORCPT parameter.
- Fixed table lookups of IPv6 addresses.
- Fixed handling of escape characters in To, From and Cc headers.
- Run LMTP deliveries as the recipient user again.
- Disallow custom commands and file reading in root's
.forward
file. - Do not process other users
.forward
files when an alternate delivery user is provided in a dispatcher. - Unify the table(5) parser used in smtpd(8) and makemap(8).
- Allow to use table(5) mappings on various match constraints.
Portability fixes:
- re-add
ASR_IPV4_BEFORE_IPV6
compile-time knob to prefer connecting to IPv6 instead of IPv4. - update asr(3) and imsg with OpenBSD.
- fixed
rpath
handling on NetBSD in the configure.
Checksums:
SHA256 (opensmtpd-7.5.0p0.tar.gz) = 84f5c1393c0c1becc72ceea971e0abd7075b2ca7e4e1f8909b83edfd8de0c39c
Verify:
Starting with version 5.7.1, releases are signed with signify(1).
You can obtain the public key from our website, check with our community that it has not been altered on its way to your machine.
$ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub
Once you are confident the key is correct, you can verify the release as described below:
-
download both release tarball and matching signature file to same directory:
$ wget https://www.opensmtpd.org/archives/opensmtpd-7.5.0p0.sum.sig $ wget https://www.opensmtpd.org/archives/opensmtpd-7.5.0p0.tar.gz
-
use
signify
to verify that signature file is properly signed and that the checksum matches the release tarball you downloaded:$ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-7.5.0p0.sum.sig Signature Verified opensmtpd-7.5.0p0.tar.gz: OK
If you don't get an OK message, then something is not right and you should not install without first understanding why it failed.
Support:
You are encouraged to register to our general purpose mailing-list: http://www.opensmtpd.org/list.html
The "Official" IRC channel for the project is at: #opensmtpd @ irc.libera.chat
Support us:
The project is maintained by volunteers, you can support us by:
- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features
Get in touch with us by e-mail or on IRC for more informations.
Reporting Bugs:
Please read http://www.opensmtpd.org/report.html
Security bugs should be reported directly to security@opensmtpd.org
Other bugs may be reported to bugs@opensmtpd.org
OpenSMTPD 7.5.0rc1
Changelog:
- run LMTP deliveires as the recipient user (again).
- do not execute commands from root's
.forward
file, nor allow expanding. - when an alternate delivery user is provided for a dispatcher, skip other users forward files.
- reject invalid headers that start with blanks.
- relax ORCPT syntax validation.
- use smtpd' table parser in makemap(8) too.
- fix and improve the table(5) file format documentation.
- fixed handling of escaping inside quotes in From, To and Cc headers.
- fix table lookups of IPv6 address.
- allow to use a key-pair table on various match constraints where only list tables were previously allowed.
- allow inline tables and filter to span over multiple lines.
- enable DSN (Delivery Status Notification) for the implicit socket too.
- add the
no-dsn
option tolisten on socket
too.
OpenSMTPD-portable specific changes:
- re-add
ASR_IPV4_BEFORE_IPV6
compile-time knob to prefer connecting to IPv6 instead of IPv4. - update asr_run(3) and imsg with OpenBSD.
- configure: readd
-R
usage on NetBSD, mistakenly dropped in previous release.
OpenSMTPD 7.4.0p1
OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases.
It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX.
The archives are now available from the main site at www.OpenSMTPD.org
We would like to thank the OpenSMTPD community for their help in testing the snapshots, reporting bugs, contributing code and packaging for other systems.
This is a minor release with multiple bug fixes.
Dependencies note:
This release builds with LibreSSL, or OpenSSL >= 1.1.
It's preferable to depend on LibreSSL as OpenSMTPD is written and tested with that dependency. OpenSSL library is considered as a best effort target TLS library and provided as a commodity, LibreSSL has become our target TLS library.
Changes in this release:
-
Fixed potential crash with LibreSSL versions prior 3.8 due to
arc4random_buf()
symbol clash. -
Fixed manpage install path; reintroduced
--with-mantype
-
Fixed typo in the configure help string: it's
--without-libbsd
-
Fixed a couple of issues on MacOS:
- Fixed typo that resulted in the re-declaration of
strlcpy()
andstrlcat()
- Cast
suseconds_t
to long for*printf
- Fixed
res_hnok()
andb64_{pton,ntop}()
discovery
- Fixed typo that resulted in the re-declaration of
Checksums:
SHA256 (opensmtpd-7.4.0p1.tar.gz) = 9e82a2ec9419e181d4ca27d8e3ebe5d129fded5ba84022ff4d11a73f8edb70b5
Verify:
Starting with version 5.7.1, releases are signed with signify(1).
You can obtain the public key from our website, check with our community that it has not been altered on its way to your machine.
$ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub
Once you are confident the key is correct, you can verify the release as described below:
- download both release tarball and matching signature file to same directory:
$ wget https://www.opensmtpd.org/archives/opensmtpd-7.4.0p1.sum.sig
$ wget https://www.opensmtpd.org/archives/opensmtpd-7.4.0p1.tar.gz
- use
signify
to verify that signature file is properly signed and that the checksum matches the release tarball you downloaded:
$ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-7.4.0p1.sum.sig
Signature Verified
opensmtpd-7.4.0p1.tar.gz: OK
If you don't get an OK message, then something is not right and you should not install without first understanding why it failed.
Support:
You are encouraged to register to our general purpose mailing-list: http://www.opensmtpd.org/list.html
The "Official" IRC channel for the project is at: #opensmtpd @ irc.libera.chat
Support us:
The project is maintained by volunteers, you can support us by:
- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features
Get in touch with us by e-mail or on IRC for more informations.
Reporting Bugs:
Please read http://www.opensmtpd.org/report.html
Security bugs should be reported directly to security@opensmtpd.org
Other bugs may be reported to bugs@opensmtpd.org
OpenSMTPD 7.4.0p0
OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases.
It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX.
The archives are now available from the main site at www.OpenSMTPD.org
We would like to thank the OpenSMTPD community for their help in testing the snapshots, reporting bugs, contributing code and packaging for other systems.
This is a major release with multiple bug fixes.
Dependencies note:
This release builds with LibreSSL, or OpenSSL >= 1.1 optionally with LibreTLS.
It's preferable to depend on LibreSSL as OpenSMTPD is written and tested with that dependency. OpenSSL library is considered as a best effort target TLS library and provided as a commodity, LibreSSL has become our target TLS library.
Changes in this release:
-
Avoid truncation of filtered data lines.
Lines in the email body passed through a filter were truncated to
roughlyLINE_MAX
bytes. -
Allow arguments on
NOOP
. -
Swap
link-auth
filter arguments and bump filter protocol version.
It was ambiguous in the case the user name would contain a '|' character. -
Add Message-ID as needed for messages received on the submission port.
This was dropped during the incoming message parser refactor in 2018. -
Drop ENGINE support.
-
Updated the bundled copy of libtls.
This includes the removal of the support for TLS v1.0 and 1.1 as they were "MUST NOT use" for more than two years already.
The neverending cleanup of the -portable layer continued. This includes the complete rework of some parts:
-
Rework of the configure script:
- use
AC_SYSTEM_EXTENSIONS
- better checks for libraries using
AC_SEARCH_LIBS
- dropped some useless and/or redundant checks
- better checks for functions, shouldn't yield false-positives
- various simplification to the -portable layer thanks to these
changes
- use
-
Simplified the
bootstrap
script.
Checksums:
SHA256 (opensmtpd-7.4.0p0.tar.gz) = c181ccc3434a11e583619e00028520d457fe062e34dc03beea358078220ce374
Verify:
Starting with version 5.7.1, releases are signed with signify(1).
You can obtain the public key from our website, check with our community that it has not been altered on its way to your machine.
$ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub
Once you are confident the key is correct, you can verify the release as described below:
- download both release tarball and matching signature file to same directory:
$ wget https://www.opensmtpd.org/archives/opensmtpd-7.4.0p0.sum.sig
$ wget https://www.opensmtpd.org/archives/opensmtpd-7.4.0p0.tar.gz
- use
signify
to verify that signature file is properly signed and that the checksum matches the release tarball you downloaded:
$ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-7.4.0p0.sum.sig
Signature Verified
opensmtpd-7.4.0p0.tar.gz: OK
If you don't get an OK message, then something is not right and you should not install without first understanding why it failed.
Support:
You are encouraged to register to our general purpose mailing-list: http://www.opensmtpd.org/list.html
The "Official" IRC channel for the project is at: #opensmtpd @ irc.libera.chat
Support us:
The project is maintained by volunteers, you can support us by:
- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features
Get in touch with us by e-mail or on IRC for more informations.
Reporting Bugs:
Please read http://www.opensmtpd.org/report.html
Security bugs should be reported directly to security@opensmtpd.org
Other bugs may be reported to bugs@opensmtpd.org
OpenSMTPD 7.4.0rc1
-
avoid truncation of filtered data lines
Lines in the email body passed through a filter were truncated to roughly LINE_MAX bytes. (#1192) -
allow arguments on NOOP
Based on an initial diff by @sjbronner, thank you! (#1150) -
swap link-auth filter arguments and bump filter protocol version
It was ambiguous in the case the user name would contain a|
character. (#1213) -
drop ENGINE support
-
sync'ed bundled copy of libtls
This includes the removal of the support for TLSv1.0 and 1.1. They were "MUST NOT use" for more than two years already. -
The neverending cleanup of the -portable layer continued.
This including complete rework of some parts. -
rework of the configure script:
- use
AC_SYSTEM_EXTENSIONS
- better checks for libraries using
AC_SEARCH_LIBS
- dropped useless and/or redundant checks
- better checks for functions, shouldn't yield false-positives
- various simplification to the -portable layer thanks to these changes
- use
-
simplified
bootstrap
by using autoreconf
OpenSMTPD 7.3.0p2
Portable-only changes:
-
avoid potential use of uninitialized the bundled copy of ASN1_time_parse
This could lead to a failure during STARTTLS and a subsequent downgrade to plaintext.
-
backport the ENGINE removal to build with the latest LibreSSL
OpenSMTPD 7.3.0p1
Portable-only changes:
- add missing include of stdio.h for fparseln(3) on FreeBSD
- fix a typo in the configure
- use fatal() instead of err(3) in xclosefrom()
- don't add "-lcrypto -lssl" thrice
- fix the build of the bundled libtls with LibreSSL
- force the use of the bundled libtls and libasr
- append, not prepend, to
LIBS
during automatic configuration - do not add
-L/usr/local/lib
or-L/usr/lib
, nor-I/usr/local/include
or-I/usr/include
, as consequence of missing--with-libevent
- optionally link
libbsd-ctor
too
OpenSMTPD 7.3.0p0
OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases.
It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX.
The archives are now available from the main site at www.OpenSMTPD.org
We would like to thank the OpenSMTPD community for their help in testing the snapshots, reporting bugs, contributing code and packaging for other systems.
This is a major release with multiple bug fixes and new features.
Dependencies note:
This release builds with LibreSSL, or OpenSSL > 1.1.1 optionally with LibreTLS.
LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use the bundled one using the --with-bundled-libtls
configure flag until it is updated.
It's preferable to depend on LibreSSL as OpenSMTPD is written and tested with that dependency. OpenSSL library is considered as a best effort target TLS library and provided as a commodity, LibreSSL has become our target TLS library.
Changes in this release:
Includes the following security fixes:
- OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a connection from a local, scoped ipv6 address"
- OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver"
Configuration changes:
- The certificate to use is now selected by looking at the names found in the certificates themselves rather than the
pki
name. The set of certificates for a TLS listener must be defined explicitly by using thepki
listener option multiple times.
Synced with OpenBSD 7.3:
- OpenBSD 6.8:
- Run LMTP deliveries as the smtpd user instead of the recipient user.
- OpenBSD 6.9:
- Introduced smtp(1)
-a
to perform authentication before sending a message. - Fixed a memory leak in smtpd(8) resolver.
- Prevented a crash due to premature release of resources by the smtpd(8) filter state machine.
- Switch to libtls internally.
- Change the way SNI works in smtpd.conf(5). TLS listeners may be configured with multiple certificates. The matching is based on the names included in the certificates.
- Allow to specify TLS protocols and ciphers per listener and relay action.
- Introduced smtp(1)
- OpenBSD 7.0:
- Fixed incorrect status code for expired mails resulting in misleading bounce report in smtpd(8).
- Added TLS options
cafile=(path)
,nosni
,noverify
andservername=(name)
to smtp(1). - Allowed specification of TLS ciphers and protocols in smtp(1).
- OpenBSD 7.1:
- Stop verifying the cert or CA for a relay using opportunistic TLS.
- Enabled TLS verify by default for outbound "smtps://" and "smtp+tls://", restoring documented smtpd(8) behavior.
- OpenBSD 7.3:
- Prevented smtpd(8) abort due to a connection from a local, scoped ipv6 address.
Portable layer changes:
-
libbsd and libtls are now optionally used if found.
- Added
--with-libbsd
/--without-libbsd
configure flag to enable linking to libbsd-overlay. - Added
--with-bundled-libtls
to force the usage of the bundled libtls.
LibreTLS 3.7.0 (last version at the time of writing) and previous have a regression with OpenSSL 3+, so please use the bundled one. See the GitHub issue #1171 for more info.
- Added
-
Updated and cleanup of the OpenBSD compats.
- Ported
res_randomid()
from OpenBSD.
- Ported
-
The configure option
--with-path-CAfile
shouldn't be required anymore in most systems but it is retained since it could be useful in some configuration when using the bundled libtls. -
Various minor portability fixes.
Checksums:
SHA256 (opensmtpd-7.3.0p0.tar.gz) = 2dd7a5a8ca127be7eb491540405684acb3dd04d93ad23d7709accd2b0450cae6
Verify:
Starting with version 5.7.1, releases are signed with signify(1).
You can obtain the public key from our website, check with our community that it has not been altered on its way to your machine.
$ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub
Once you are confident the key is correct, you can verify the release as described below:
- download both release tarball and matching signature file to same directory:
$ wget https://www.opensmtpd.org/archives/opensmtpd-7.3.0p0.sum.sig
$ wget https://www.opensmtpd.org/archives/opensmtpd-7.3.0p0.tar.gz
- use
signify
to verify that signature file is properly signed and that the
checksum matches the release tarball you downloaded:
for portable version:
$ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-7.3.0p0.sum.sig
Signature Verified
opensmtpd-7.3.0p0.tar.gz: OK
If you don't get an OK message, then something is not right and you should not install without first understanding why it failed.
Support:
You are encouraged to register to our general purpose mailing-list: http://www.opensmtpd.org/list.html.
The "Official" IRC channel for the project is at:
#opensmtpd @ irc.libera.chat
Support us:
The project is maintained by volunteers, you can support us by:
- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features
Get in touch with us by e-mail or on IRC for more informations.
Reporting Bugs:
Please read http://www.opensmtpd.org/report.html
Security bugs should be reported directly to security@opensmtpd.org
Other bugs may be reported to bugs@opensmtpd.org
OpenSMTPD 7.3.0p0-rc2
Changes since the last release: (may be incomplete)
-
Synced with OpenBSD 7.3.
Includes the following security fixes:- OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a connection from a local, scoped ipv6 address"
- OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver"
-
Optionally use libbsd and libtls.
-
Updated bundled libtls.
Includes fixes with OpenSSL 3.xPlease use
--with-bundled-libtls
since LibreTLS 3.7.0 (last version at the time of writing) has a regression with OpenSSL 3.x. See the github issue #1171 for more info. -
Updated and cleanup of the OpenBSD compats.
-
Ported
res_randomid()
from OpenBSD. -
The configure option
--with-path-CAfile
shouldn't be required anymore for most systems, but it is retained since it could be useful in some configuration when using the bundled libtls. -
Various minor portability fixes.
OpenSMTPD 7.3.0p0-rc1
Changes since the last release: (may be incomplete)
- synced with OpenBSD 7.3
- bundled libtls updated (fixes issues with OpenSSL 3.x)
- updated and cleanup of the OpenBSD compats
- ported res_randomid() from OpenBSD
- optionally use libbsd and libtls
- added --with-bundled-libtls configure knob to work around LibreTLS regressions on OpenSSL 3.x
- remove now useless --with-path-CAfile
- various minor portability fixes