Hello, I have just released the minor version 6.6.3p1 of OpenSMTPD.
Following the advisory from Qualys late January, I have discussed various mitigation on my blog: https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ Several were implemented in OpenBSD -current and this new releases back-ports them to the portable version. With this release: - OpenSMTPD now declares maildir instead of mbox in its default configuration - the mbox delivery method now uses a specific code path for execution with fixed parameters - the mbox delivery method no longer requires privileges in the daemon - the lmtp delivery method no longer receives sender/recipient on the command line Other mitigation will be back-ported as they become available and new releases will be issued to include them. In the mean time, I highly recommend that you: - upgrade to this version to reduce the attack surface. - stop using mbox is possible. - stop delivering mail to root but create an alias to an unprivileged user instead. The release can be downloaded from our website: https://www.opensmtpd.org/archives/opensmtpd-6.6.3p1.tar.gz or from Github: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.3p1