Changes in this release:
========================
New Features:
- Allowed use of the smtpd(8) session username in built-in filters when available.
- Introduced a bypass keyword to smtpd(8) so that built-in filters can bypass processing when a condition is met.
- Allowed use of 'auth' as an origin in smtpd.conf(5).
- Allowed use of mail-from and rctp-to as for and from parameters in smtpd.conf(5).
Bug fixes:
- Ensured legacy ssl(8) session ID is persistent during a client TLS session, fixing an issue using TLSv1.3 with smtp.mail.yahoo.com.
- Fixed security vulnerabilities in smtpd(8). Corrected an out-of-bounds read in smtpd allowing an attacker to inject arbitrary commands into the envelope file to be executed as root, and ensured privilege revocation in smtpctl(8) to prevent arbitrary commands from being run with the _smtpq group.
- Allowed mail.local(8) to be run as non-root, opening a pipe to lockspool(1) for file locking.
- Fixed a security vulnerability in smtpd(8) which could lead to a privilege escalation on mbox deliveries and unprivileged code execution on lmtp deliveries.
- Added support for CIDR in a: spf atoms in smtpd(8).
- Fixed a possible crash in smtpd(8) when combining "from rdns" with nested virtual aliases under a particular configuration.
By default, OpenSMTPd rely on OpenBSD defaults, /var/spool/mail, instead of /var/mail
Point it on /var/mail on all supported platforms != OpenBSD
Reported by: Denis Fortin via private mail
MFH: 2020Q1
SECURITY RELEASE
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
MFH: 2020Q1
- switch default configuration to maildir
- allow mbox to deliver to users without requiring privileges in the daemon
- allow lmtp to receive sender/recipient in environment
MFH: 2020Q1
This update addressed LPE and RCE vulnerabilities in OpenSMTPD (CVE-2020-7247)
https://www.openwall.com/lists/oss-security/2020/01/28/3
This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch
smtpd to new grammar") and allows an attacker to execute arbitrary shell
commands, as root:
- either locally, in OpenSMTPD's default configuration (which listens on
the loopback interface and only accepts mail from localhost);
- or locally and remotely, in OpenSMTPD's "uncommented" default
configuration (which listens on all interfaces and accepts external
mail).
PR: 243686
Reported by: authors via irc
MFH: 2020Q1
Relnotes: https://www.mail-archive.com/misc@opensmtpd.org/msg04850.html
This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0.
FreeBSD 11.x users should update to 12.x/13.x or switch system-wide
default ssl library to openssl111/libressl
- Update -extras to 6.4.0 release
Filters still missing, corresponded ports temporary markes
as IGNORED
PR: 213442,228937
MFH: 2019Q4
(i.e. when the dot appears on the line directly after the headers).
This could be used by an attacker to exhaust resources.
PR: 227899
Submitted by: grembo
Obtained from: OpenSMTPD git repo (backported)
MFH: 2018Q2
Missing brackets lead to a panic when a malformed address line
is fed to dovecot-lda
Submitted by: gahr
Reported by: brnrd via dovecot ML
Obtained from: 725ba4fa2d
development, and has kindly agreed to take the maintainership
of following ports:
- dns/libasr
- dns/libasr-devel
- mail/opensmtpd
- mail/opensmtpd-devel
Thank you!
- Make option descriptions generic[1]
- Cleanup OPTIONS[1]
- Enforce SSL_PORT for 9.x[1]
- Mark as broken with LIBASRDEVEL option, due to incompatibility
PR: 206523[1]
Submitted by: Andrey Fesenko <andrey at bsdnir dot info>[1]
Details at https://github.com/OpenSMTPD/OpenSMTPD/issues/650
While at it, remove a stale patch that isn't applicable anymore. Upstream
implements this logic already, and the patch doesn't actually patch anything.
PR: 206816
Submitted by: sa.inbox@gmail.com
Approved by: portmgr@
Patches must not be changed by the vcs, this includes the
svn:keyword expansion. Set fbsd:nokeywords to a couple of patches.
With hat: portmgr
Sponsored by: Absolight
e.g. often username exceeds the limit when it contains @host.name
part.
Reported by: gahr (via private email)
Obtained from: Philipp Takacs <philipp@bureaucracy.de> (via IRC)
- Remove OPTIONS for the features unsupported upstream: SQLITE, MYSQL,
LDAP, PGSQL, and REDIS
- Add workaround to prevent unnecessary dependency on autotools, due
to problem with tarball
- Add note to UPDATING about the removal of OPTIONS
mail/opensmtpd:
- Update to 5.4.4p1
- Add LIBASRDEVEL option to depend on dns/libasr-devel
- Use OpenSSL from ports, should help with migration to LibreSSL
- Explicitly provide path to OpenSSL[1]
mail/opensmtpd-devel:
- Update to 201502012312
- Add LIBASR option to depend on dns/libasr
- Remove MYSQL, PGSQL, LDAP, and REDIS options as they're removed
upstream
- Add a note for above to UPDATING
- Explicitly provide path to OpenSSL[1]
- Add a diff to fix build failure on FreeBSD[2]
Reported by: TJ <tj at mrsk.me> (via private email)
Submitted by: Herbert J. Skuhra <herbert at oslo.ath.cx> (via list)
