Hello,
I have just released the minor version 6.6.3p1 of OpenSMTPD.
Following the advisory from Qualys late January, I have discussed various
mitigation on my blog:
https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
Several were implemented in OpenBSD -current and this new releases back-ports
them to the portable version.
With this release:
- OpenSMTPD now declares maildir instead of mbox in its default configuration
- the mbox delivery method now uses a specific code path for execution with
fixed parameters
- the mbox delivery method no longer requires privileges in the daemon
- the lmtp delivery method no longer receives sender/recipient on the command
line
Other mitigation will be back-ported as they become available and new releases
will be issued to include them.
In the mean time, I highly recommend that you:
- upgrade to this version to reduce the attack surface.
- stop using mbox is possible.
- stop delivering mail to root but create an alias to an unprivileged user
instead.
The release can be downloaded from our website:
https://www.opensmtpd.org/archives/opensmtpd-6.6.3p1.tar.gz
or from Github:
https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.3p1
