OpenSMTPD 6.7.0p1 has just been released.

OpenSMTPD is a FREE implementation of the SMTP protocol with some common
extensions. It allows ordinary machines to exchange e-mails with systems
speaking the SMTP protocol. It implements a fairly large part of RFC5321
and can already cover a large range of use-cases.

It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX.

The archives are now available from the main site at

We would like to thank the OpenSMTPD community for their help in testing
the snapshots, reporting bugs, contributing code and packaging for other

This is a major release with multiple bug fixes and new features.

Dependencies note:

This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0.

It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. In addition, the features parity is not respected,
some features will not be available with OpenSSL, like ECDSA server-side
certificates support in this release. OpenSSL library is considered as a
best effort target TLS library and provided as a commodity, LibreSSL has
become our target TLS library.

Changes in this release:

New Features:

- Allowed use of the smtpd(8) session username in built-in filters when 
- Introduced a bypass keyword to smtpd(8) so that built-in filters can bypass 
processing when a condition is met.
- Allowed use of 'auth' as an origin in smtpd.conf(5).
- Allowed use of mail-from and rctp-to as for and from parameters in 

Bug fixes:

- Ensured legacy ssl(8) session ID is persistent during a client TLS session, 
fixing an issue using TLSv1.3 with
- Fixed security vulnerabilities in smtpd(8). Corrected an out-of-bounds read 
in smtpd allowing an attacker to inject arbitrary commands into the envelope 
file to be executed as root, and ensured privilege revocation in smtpctl(8) to 
prevent arbitrary commands from being run with the _smtpq group.
- Allowed mail.local(8) to be run as non-root, opening a pipe to lockspool(1) 
for file locking.
- Fixed a security vulnerability in smtpd(8) which could lead to a privilege 
escalation on mbox deliveries and unprivileged code execution on lmtp 
- Added support for CIDR in a: spf atoms in smtpd(8).
- Fixed a possible crash in smtpd(8) when combining "from rdns" with nested 
virtual aliases under a particular configuration.

Experimental Features: 

- Introduced smtp-out event reporting.
- Improved filtering protocol.


  SHA256 (opensmtpd-6.7.0p1.tar.gz) =


Starting with version 5.7.1, releases are signed with signify(1).

You can obtain the public key from our website, check with our community
that it has not been altered on its way to your machine.

   $ wget

Once you are confident the key is correct, you can verify the release as
described below:

1- download both release tarball and matching signature file to same directory:

   $ wget
   $ wget

2- use `signify` to verify that signature file is properly signed and that the
   checksum matches the release tarball you downloaded:

   for portable version:
   $ signify -C -e -p -x opensmtpd-6.7.0p1.sum.sig
   Signature Verified
   opensmtpd-6.7.0p1.tar.gz: OK

If you don't get an OK message, then something is not right and you should not
install without first understanding why it failed.


You are encouraged to register to our general purpose mailing-list:

The "Official" IRC channel for the project is at:
    #OpenSMTPD @

Support us:

The project is maintained by volunteers, you can support us by:

- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features

Get in touch with us by e-mail or on IRC for more informations.

Reporting Bugs:

Please read
Security bugs should be reported directly to
Other bugs may be reported to

Reply via email to