I have just released the minor version 6.6.3p1 of OpenSMTPD.

Following the advisory from Qualys late January, I have discussed various 
mitigation on my blog:


Several were implemented in OpenBSD -current and this new releases back-ports 
them to the portable version.

With this release:

- OpenSMTPD now declares maildir instead of mbox in its default configuration
- the mbox delivery method now uses a specific code path for execution with 
fixed parameters
- the mbox delivery method no longer requires privileges in the daemon
- the lmtp delivery method no longer receives sender/recipient on the command 

Other mitigation will be back-ported as they become available and new releases 
will be issued to include them.

In the mean time, I highly recommend that you:

- upgrade to this version to reduce the attack surface.
- stop using mbox is possible.
- stop delivering mail to root but create an alias to an unprivileged user 

The release can be downloaded from our website:


or from Github:


Reply via email to