Re: Announce: OpenSMTPD 7.3.0p0 released
On 2023/06/18 16:15:51 +0100, Simon Harrison wrote: > On Sun, 18 Jun 2023 16:08:20 +0200 > Omar Polo wrote: > > > > On 17 Jun 2023, at 18:43, Simon Harrison wrote: > > > > > > On Sat, 17 Jun 2023 09:50:17 +0200 > > > Omar Polo wrote: > > > > > >> OpenSMTPD 7.3.0p0 has just been released. > > >> > > > > > > When someone compiles (and runs) this on Debian Bookworm, can you > > > post a quick howto. I tried on one of my servers and had lots of > > > errors. > > > > I've compiled and run successfully several times on Devuan, which I > > hope it's not too different from Debian. > > > > Can you please share the commands you issued and the errors you are > > getting? In general, when reporting an issue, attaching compile or > > runtime logs (whichever more appropriate for the matter) is always the > > right thing to do. Feel free to send them offlist if you prefer > > > > > > Thanks, > > > > Omar Polo > > > > Hi Omar. I'll do that next week in a new thread. There was definitely a > problem with filter-dkimsign, not sure if you could bundle that with > the portable version? although I use filter-dkimsign too, it's a separate project and so won't be bundled with the portable version, just like all the other useful filters. I just compiled libopensmtpd filter-dkimsign on devuan and it builds fine for me, but I've also noticed that opensmtpd-filter-dkimsign is available on the repository, so why don't just use apt to install it? Cheers, Omar Polo
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sun, 18 Jun 2023 19:36:00 +0200 Frank de Bruijn wrote: > Relevant files: https://duinsoft.nl/dl/ > Procedure: https://duinsoft.nl/dl/building_opensmtpd_7.3.0.txt > > I noticed you mentions problems with filter-dkimsign. I don't use > that myself, so I have no idea whether my build will handle it any > better. > > Regards, > Frank > Wow, thanks Frank. Very good of you. I'm pretty busy at the moment, but I'll have a go at building using your files early next week. I'll let you know how things go! Thanks again, Simon
Re: Announce: OpenSMTPD 7.3.0p0 released
Op 17-06-2023 om 20:52 schreef Frank de Bruijn: Op 17-06-2023 om 19:49 schreef Simon Harrison: On Sat, 17 Jun 2023 19:20:26 +0200 Frank de Bruijn wrote: Op 17-06-2023 om 18:43 schreef Simon Harrison: On Sat, 17 Jun 2023 09:50:17 +0200 Omar Polo wrote: OpenSMTPD 7.3.0p0 has just been released. When someone compiles (and runs) this on Debian Bookworm, can you post a quick howto. I tried on one of my servers and had lots of errors. I built the release candidates a little while ago and rc2 is still running here. I'll build this version one of these days (maybe tomorrow) and I'll let you know the result and the procedure. A word of warning, though: I always use sbuild. I don't know if you're familiar with it. Hi Frank. I'm not familiar with it, but looking into it now. If setting up sbuild is too much, I can always make the resulting .deb available. Relevant files: https://duinsoft.nl/dl/ Procedure: https://duinsoft.nl/dl/building_opensmtpd_7.3.0.txt I noticed you mentions problems with filter-dkimsign. I don't use that myself, so I have no idea whether my build will handle it any better. Regards, Frank
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sun, 18 Jun 2023 16:08:20 +0200 Omar Polo wrote: > > On 17 Jun 2023, at 18:43, Simon Harrison wrote: > > > > On Sat, 17 Jun 2023 09:50:17 +0200 > > Omar Polo wrote: > > > >> OpenSMTPD 7.3.0p0 has just been released. > >> > > > > When someone compiles (and runs) this on Debian Bookworm, can you > > post a quick howto. I tried on one of my servers and had lots of > > errors. > > I've compiled and run successfully several times on Devuan, which I > hope it's not too different from Debian. > > Can you please share the commands you issued and the errors you are > getting? In general, when reporting an issue, attaching compile or > runtime logs (whichever more appropriate for the matter) is always the > right thing to do. Feel free to send them offlist if you prefer > > > Thanks, > > Omar Polo > Hi Omar. I'll do that next week in a new thread. There was definitely a problem with filter-dkimsign, not sure if you could bundle that with the portable version? Simon
Re: Announce: OpenSMTPD 7.3.0p0 released
> On 17 Jun 2023, at 18:43, Simon Harrison wrote: > > On Sat, 17 Jun 2023 09:50:17 +0200 > Omar Polo wrote: > >> OpenSMTPD 7.3.0p0 has just been released. >> > > When someone compiles (and runs) this on Debian Bookworm, can you post > a quick howto. I tried on one of my servers and had lots of errors. I've compiled and run successfully several times on Devuan, which I hope it's not too different from Debian. Can you please share the commands you issued and the errors you are getting? In general, when reporting an issue, attaching compile or runtime logs (whichever more appropriate for the matter) is always the right thing to do. Feel free to send them offlist if you prefer Thanks, Omar Polo
Re: Announce: OpenSMTPD 7.3.0p0 released
> Hello, > > OpenBSD 7.3 ships with the code used to build OpenSMTPD 7.3.0 portable, > so you're not "affected" by this release: releases announced here are a > port of OpenSMTPD for other systems. > > Gilles > > > June 17, 2023 6:21 PM, latin...@vcn.bc.ca wrote: > Thanks so much Gilles the blood pressure came to normal! >> Hello >> >> Please excuse my question, if i am lost! >> >> I have 3 e-mail servers using OpenSMTPD that come with OpenBSD 7.3. >> >> Does this complicated thing that you mentioned is going to affect my >> servers? >> >> I use OpenBSD because its simplicity! >> >> Thanks. >> >>> OpenSMTPD 7.3.0p0 has just been released. >>> >>> OpenSMTPD is a FREE implementation of the SMTP protocol with some >>> common >>> extensions. It allows ordinary machines to exchange e-mails with >>> systems >>> speaking the SMTP protocol. It implements a fairly large part of >>> RFC5321 >>> and can already cover a large range of use-cases. >>> >>> It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX. >>> >>> The archives are now available from the main site at www.OpenSMTPD.org >>> >>> We would like to thank the OpenSMTPD community for their help in >>> testing >>> the snapshots, reporting bugs, contributing code and packaging for >>> other >>> systems. >>> >>> This is a major release with multiple bug fixes and new features. >>> >>> Dependencies note: >>> == >>> >>> This release builds with LibreSSL, or OpenSSL > 1.1.1 optionally with >>> LibreTLS. >>> >>> LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use >>> the bundled one using the `--with-bundled-libtls' configure flag until >>> it is updated. >>> >>> It's preferable to depend on LibreSSL as OpenSMTPD is written and >>> tested >>> with that dependency. OpenSSL library is considered as a best effort >>> target TLS library and provided as a commodity, LibreSSL has become our >>> target TLS library. >>> >>> Changes in this release: >>> >>> >>> Includes the following security fixes: >>> - OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a >>> connection from a local, scoped ipv6 address" >>> - OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver" >>> >>> Configuration changes: >>> - The certificate to use is now selected by looking at the names >>> found in the certificates themselves rather than the `pki` name. >>> The set of certificates for a TLS listener must be defined >>> explicitly by using the `pki` listener option multiple times. >>> >>> Synced with OpenBSD 7.3: >>> - OpenBSD 6.9: >>> * Introduced smtp(1) `-a` to perform authentication before sending >>> a message. >>> * Fixed a memory leak in smtpd(8) resolver. >>> * Prevented a crash due to premature release of resources by the >>> smtpd(8) filter state machine. >>> * Switch to libtls internally. >>> * Change the way SNI works in smtpd.conf(5). TLS listeners may be >>> configured with multiple certificates. The matching is based on >>> the names included in the certificates. >>> * Allow to specify TLS protocols and ciphers per listener and >>> relay action. >>> - OpenBSD 7.0: >>> * Fixed incorrect status code for expired mails resulting in >>> misleading bounce report in smtpd(8). >>> * Added TLS options `cafile=(path)`, `nosni`, `noverify` and >>> `servername=(name)` to smtp(1). >>> * Allowed specification of TLS ciphers and protocols in smtp(1). >>> - OpenBSD 7.1: >>> * Stop verifying the cert or CA for a relay using opportunistic TLS. >>> * Enabled TLS verify by default for outbound "smtps://" and >>> "smtp+tls://", restoring documented smtpd(8) behavior. >>> - OpenBSD 7.3: >>> * Prevented smtpd(8) abort due to a connection from a local, >>> scoped ipv6 address. >>> >>> Portable layer changes: >>> - libbsd and libtls are now optionally used if found. >>> + Added `--with-libbsd`/`--without-libbsd` configure flag to enable >>> linking to libbsd-overlay. >>> + Added `--with-bundled-libtls` to force the usage of the bundled >>> libtls. >>> >>> LibreTLS 3.7.0 (last version at the time of writing) and previous >>> have a regression with OpenSSL 3+, so please use the bundled one. >>> See the GitHub issue #1171 for more info. >>> >>> - Updated and cleanup of the OpenBSD compats. >>> + Ported `res_randomid()` from OpenBSD. >>> >>> - The configure option `--with-path-CAfile` shouldn't be required >>> anymore in most systems but it is retained since it could be useful in >>> some configuration when using the bundled libtls. >>> >>> - Various minor portability fixes. >>> >>> Checksums: >>> == >>> >>> SHA256 (opensmtpd-7.3.0p0.tar.gz) = >>> 2dd7a5a8ca127be7eb491540405684acb3dd04d93ad23d7709accd2b0450cae6 >>> >>> Verify: >>> === >>> >>> Starting with version 5.7.1, releases are signed with signify(1). >>> >>> You can obtain the public key from our website, check with our >>> community >>> that it has not been altered on its way to your machine. >>> >>> $ wget
Re: Announce: OpenSMTPD 7.3.0p0 released
> On 2023/06/17 09:21:45 -0700, latin...@vcn.bc.ca wrote: >> Hello >> >> Please excuse my question, if i am lost! >> >> I have 3 e-mail servers using OpenSMTPD that come with OpenBSD 7.3. >> >> Does this complicated thing that you mentioned is going to affect my >> servers? >> >> I use OpenBSD because its simplicity! >> >> Thanks. > > I should have probably mentioned more clearly that this was the > announce for the -portable version that exists to port OpenSMTPD to > other systems. > > So, no, if you're using OpenBSD smtpd is in base you were already > using the latest version :) > > > Cheers, > > Omar Polo > Thank Polo for the information.
Re: Announce: OpenSMTPD 7.3.0p0 released
Op 17-06-2023 om 19:49 schreef Simon Harrison: On Sat, 17 Jun 2023 19:20:26 +0200 Frank de Bruijn wrote: Op 17-06-2023 om 18:43 schreef Simon Harrison: On Sat, 17 Jun 2023 09:50:17 +0200 Omar Polo wrote: OpenSMTPD 7.3.0p0 has just been released. When someone compiles (and runs) this on Debian Bookworm, can you post a quick howto. I tried on one of my servers and had lots of errors. I built the release candidates a little while ago and rc2 is still running here. I'll build this version one of these days (maybe tomorrow) and I'll let you know the result and the procedure. A word of warning, though: I always use sbuild. I don't know if you're familiar with it. Regards, Frank Hi Frank. I'm not familiar with it, but looking into it now. Thanks, Simon If setting up sbuild is too much, I can always make the resulting .deb available. Regards, Frank
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sat, 17 Jun 2023 19:20:26 +0200 Frank de Bruijn wrote: > Op 17-06-2023 om 18:43 schreef Simon Harrison: > > On Sat, 17 Jun 2023 09:50:17 +0200 > > Omar Polo wrote: > > > >> OpenSMTPD 7.3.0p0 has just been released. > >> > > > > When someone compiles (and runs) this on Debian Bookworm, can you > > post a quick howto. I tried on one of my servers and had lots of > > errors. > > I built the release candidates a little while ago and rc2 is still > running here. I'll build this version one of these days (maybe > tomorrow) and I'll let you know the result and the procedure. A word > of warning, though: I always use sbuild. I don't know if you're > familiar with it. > > Regards, > Frank > Hi Frank. I'm not familiar with it, but looking into it now. Thanks, Simon
Re: Announce: OpenSMTPD 7.3.0p0 released
Op 17-06-2023 om 18:43 schreef Simon Harrison: On Sat, 17 Jun 2023 09:50:17 +0200 Omar Polo wrote: OpenSMTPD 7.3.0p0 has just been released. When someone compiles (and runs) this on Debian Bookworm, can you post a quick howto. I tried on one of my servers and had lots of errors. I built the release candidates a little while ago and rc2 is still running here. I'll build this version one of these days (maybe tomorrow) and I'll let you know the result and the procedure. A word of warning, though: I always use sbuild. I don't know if you're familiar with it. Regards, Frank
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sat, 17 Jun 2023 09:50:17 +0200 Omar Polo wrote: > OpenSMTPD 7.3.0p0 has just been released. > When someone compiles (and runs) this on Debian Bookworm, can you post a quick howto. I tried on one of my servers and had lots of errors. I've since gone back to the Debian default version. Cheers.
Re: Announce: OpenSMTPD 7.3.0p0 released
Hello, OpenBSD 7.3 ships with the code used to build OpenSMTPD 7.3.0 portable, so you're not "affected" by this release: releases announced here are a port of OpenSMTPD for other systems. Gilles June 17, 2023 6:21 PM, latin...@vcn.bc.ca wrote: > Hello > > Please excuse my question, if i am lost! > > I have 3 e-mail servers using OpenSMTPD that come with OpenBSD 7.3. > > Does this complicated thing that you mentioned is going to affect my servers? > > I use OpenBSD because its simplicity! > > Thanks. > >> OpenSMTPD 7.3.0p0 has just been released. >> >> OpenSMTPD is a FREE implementation of the SMTP protocol with some common >> extensions. It allows ordinary machines to exchange e-mails with systems >> speaking the SMTP protocol. It implements a fairly large part of RFC5321 >> and can already cover a large range of use-cases. >> >> It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX. >> >> The archives are now available from the main site at www.OpenSMTPD.org >> >> We would like to thank the OpenSMTPD community for their help in testing >> the snapshots, reporting bugs, contributing code and packaging for other >> systems. >> >> This is a major release with multiple bug fixes and new features. >> >> Dependencies note: >> == >> >> This release builds with LibreSSL, or OpenSSL > 1.1.1 optionally with >> LibreTLS. >> >> LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use >> the bundled one using the `--with-bundled-libtls' configure flag until >> it is updated. >> >> It's preferable to depend on LibreSSL as OpenSMTPD is written and tested >> with that dependency. OpenSSL library is considered as a best effort >> target TLS library and provided as a commodity, LibreSSL has become our >> target TLS library. >> >> Changes in this release: >> >> >> Includes the following security fixes: >> - OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a >> connection from a local, scoped ipv6 address" >> - OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver" >> >> Configuration changes: >> - The certificate to use is now selected by looking at the names >> found in the certificates themselves rather than the `pki` name. >> The set of certificates for a TLS listener must be defined >> explicitly by using the `pki` listener option multiple times. >> >> Synced with OpenBSD 7.3: >> - OpenBSD 6.9: >> * Introduced smtp(1) `-a` to perform authentication before sending >> a message. >> * Fixed a memory leak in smtpd(8) resolver. >> * Prevented a crash due to premature release of resources by the >> smtpd(8) filter state machine. >> * Switch to libtls internally. >> * Change the way SNI works in smtpd.conf(5). TLS listeners may be >> configured with multiple certificates. The matching is based on >> the names included in the certificates. >> * Allow to specify TLS protocols and ciphers per listener and >> relay action. >> - OpenBSD 7.0: >> * Fixed incorrect status code for expired mails resulting in >> misleading bounce report in smtpd(8). >> * Added TLS options `cafile=(path)`, `nosni`, `noverify` and >> `servername=(name)` to smtp(1). >> * Allowed specification of TLS ciphers and protocols in smtp(1). >> - OpenBSD 7.1: >> * Stop verifying the cert or CA for a relay using opportunistic TLS. >> * Enabled TLS verify by default for outbound "smtps://" and >> "smtp+tls://", restoring documented smtpd(8) behavior. >> - OpenBSD 7.3: >> * Prevented smtpd(8) abort due to a connection from a local, >> scoped ipv6 address. >> >> Portable layer changes: >> - libbsd and libtls are now optionally used if found. >> + Added `--with-libbsd`/`--without-libbsd` configure flag to enable >> linking to libbsd-overlay. >> + Added `--with-bundled-libtls` to force the usage of the bundled >> libtls. >> >> LibreTLS 3.7.0 (last version at the time of writing) and previous >> have a regression with OpenSSL 3+, so please use the bundled one. >> See the GitHub issue #1171 for more info. >> >> - Updated and cleanup of the OpenBSD compats. >> + Ported `res_randomid()` from OpenBSD. >> >> - The configure option `--with-path-CAfile` shouldn't be required >> anymore in most systems but it is retained since it could be useful in >> some configuration when using the bundled libtls. >> >> - Various minor portability fixes. >> >> Checksums: >> == >> >> SHA256 (opensmtpd-7.3.0p0.tar.gz) = >> 2dd7a5a8ca127be7eb491540405684acb3dd04d93ad23d7709accd2b0450cae6 >> >> Verify: >> === >> >> Starting with version 5.7.1, releases are signed with signify(1). >> >> You can obtain the public key from our website, check with our community >> that it has not been altered on its way to your machine. >> >> $ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub >> >> Once you are confident the key is correct, you can verify the release as >> described below: >> >> 1- download both release tarball and matching signature file to same >> directory: >>
Re: Announce: OpenSMTPD 7.3.0p0 released
On 2023/06/17 09:21:45 -0700, latin...@vcn.bc.ca wrote: > Hello > > Please excuse my question, if i am lost! > > I have 3 e-mail servers using OpenSMTPD that come with OpenBSD 7.3. > > Does this complicated thing that you mentioned is going to affect my servers? > > I use OpenBSD because its simplicity! > > Thanks. I should have probably mentioned more clearly that this was the announce for the -portable version that exists to port OpenSMTPD to other systems. So, no, if you're using OpenBSD smtpd is in base you were already using the latest version :) Cheers, Omar Polo
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sat, 17 Jun 2023 09:21:45 -0700 latin...@vcn.bc.ca wrote: > Hello > > Please excuse my question, if i am lost! > > I have 3 e-mail servers using OpenSMTPD that come with OpenBSD 7.3. > > Does this complicated thing that you mentioned is going to affect my > servers? > > I use OpenBSD because its simplicity! > > Thanks. No mate. This is the portable version. You're already using the latest version on OpenBSD. This is for people like me running Linux.
Re: Announce: OpenSMTPD 7.3.0p0 released
Hello Please excuse my question, if i am lost! I have 3 e-mail servers using OpenSMTPD that come with OpenBSD 7.3. Does this complicated thing that you mentioned is going to affect my servers? I use OpenBSD because its simplicity! Thanks. > OpenSMTPD 7.3.0p0 has just been released. > > OpenSMTPD is a FREE implementation of the SMTP protocol with some common > extensions. It allows ordinary machines to exchange e-mails with systems > speaking the SMTP protocol. It implements a fairly large part of RFC5321 > and can already cover a large range of use-cases. > > It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX. > > The archives are now available from the main site at www.OpenSMTPD.org > > We would like to thank the OpenSMTPD community for their help in testing > the snapshots, reporting bugs, contributing code and packaging for other > systems. > > This is a major release with multiple bug fixes and new features. > > > Dependencies note: > == > > This release builds with LibreSSL, or OpenSSL > 1.1.1 optionally with > LibreTLS. > > LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use > the bundled one using the `--with-bundled-libtls' configure flag until > it is updated. > > It's preferable to depend on LibreSSL as OpenSMTPD is written and tested > with that dependency. OpenSSL library is considered as a best effort > target TLS library and provided as a commodity, LibreSSL has become our > target TLS library. > > > Changes in this release: > > > Includes the following security fixes: > - OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a > connection from a local, scoped ipv6 address" > - OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver" > > Configuration changes: > - The certificate to use is now selected by looking at the names > found in the certificates themselves rather than the `pki` name. > The set of certificates for a TLS listener must be defined > explicitly by using the `pki` listener option multiple times. > > Synced with OpenBSD 7.3: > - OpenBSD 6.9: > * Introduced smtp(1) `-a` to perform authentication before sending > a message. > * Fixed a memory leak in smtpd(8) resolver. > * Prevented a crash due to premature release of resources by the > smtpd(8) filter state machine. > * Switch to libtls internally. > * Change the way SNI works in smtpd.conf(5). TLS listeners may be > configured with multiple certificates. The matching is based on > the names included in the certificates. > * Allow to specify TLS protocols and ciphers per listener and > relay action. > - OpenBSD 7.0: > * Fixed incorrect status code for expired mails resulting in > misleading bounce report in smtpd(8). > * Added TLS options `cafile=(path)`, `nosni`, `noverify` and > `servername=(name)` to smtp(1). > * Allowed specification of TLS ciphers and protocols in smtp(1). > - OpenBSD 7.1: > * Stop verifying the cert or CA for a relay using opportunistic TLS. > * Enabled TLS verify by default for outbound "smtps://" and > "smtp+tls://", restoring documented smtpd(8) behavior. > - OpenBSD 7.3: > * Prevented smtpd(8) abort due to a connection from a local, > scoped ipv6 address. > > Portable layer changes: > - libbsd and libtls are now optionally used if found. > + Added `--with-libbsd`/`--without-libbsd` configure flag to enable > linking to libbsd-overlay. > + Added `--with-bundled-libtls` to force the usage of the bundled > libtls. > > LibreTLS 3.7.0 (last version at the time of writing) and previous > have a regression with OpenSSL 3+, so please use the bundled one. > See the GitHub issue #1171 for more info. > > - Updated and cleanup of the OpenBSD compats. > + Ported `res_randomid()` from OpenBSD. > > - The configure option `--with-path-CAfile` shouldn't be required > anymore in most systems but it is retained since it could be useful in > some configuration when using the bundled libtls. > > - Various minor portability fixes. > > Checksums: > == > > SHA256 (opensmtpd-7.3.0p0.tar.gz) = > 2dd7a5a8ca127be7eb491540405684acb3dd04d93ad23d7709accd2b0450cae6 > > > Verify: > === > > Starting with version 5.7.1, releases are signed with signify(1). > > You can obtain the public key from our website, check with our community > that it has not been altered on its way to your machine. > >$ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub > > Once you are confident the key is correct, you can verify the release as > described below: > > 1- download both release tarball and matching signature file to same > directory: > >$ wget https://www.opensmtpd.org/archives/opensmtpd-7.3.0p0.sum.sig >$ wget https://www.opensmtpd.org/archives/opensmtpd-7.3.0p0.tar.gz > > > 2- use `signify` to verify that signature file is properly
Re: Announce: OpenSMTPD 7.3.0p0 released
thanks \o/ June 17, 2023 9:50 AM, "Omar Polo" wrote: > OpenSMTPD 7.3.0p0 has just been released. > > OpenSMTPD is a FREE implementation of the SMTP protocol with some common > extensions. It allows ordinary machines to exchange e-mails with systems > speaking the SMTP protocol. It implements a fairly large part of RFC5321 > and can already cover a large range of use-cases. > > It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX. > > The archives are now available from the main site at www.OpenSMTPD.org > > We would like to thank the OpenSMTPD community for their help in testing > the snapshots, reporting bugs, contributing code and packaging for other > systems. > > This is a major release with multiple bug fixes and new features. > > Dependencies note: > == > > This release builds with LibreSSL, or OpenSSL > 1.1.1 optionally with > LibreTLS. > > LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use > the bundled one using the `--with-bundled-libtls' configure flag until > it is updated. > > It's preferable to depend on LibreSSL as OpenSMTPD is written and tested > with that dependency. OpenSSL library is considered as a best effort > target TLS library and provided as a commodity, LibreSSL has become our > target TLS library. > > Changes in this release: > > > Includes the following security fixes: > - OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a > connection from a local, scoped ipv6 address" > - OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver" > > Configuration changes: > - The certificate to use is now selected by looking at the names > found in the certificates themselves rather than the `pki` name. > The set of certificates for a TLS listener must be defined > explicitly by using the `pki` listener option multiple times. > > Synced with OpenBSD 7.3: > - OpenBSD 6.9: > * Introduced smtp(1) `-a` to perform authentication before sending > a message. > * Fixed a memory leak in smtpd(8) resolver. > * Prevented a crash due to premature release of resources by the > smtpd(8) filter state machine. > * Switch to libtls internally. > * Change the way SNI works in smtpd.conf(5). TLS listeners may be > configured with multiple certificates. The matching is based on > the names included in the certificates. > * Allow to specify TLS protocols and ciphers per listener and > relay action. > - OpenBSD 7.0: > * Fixed incorrect status code for expired mails resulting in > misleading bounce report in smtpd(8). > * Added TLS options `cafile=(path)`, `nosni`, `noverify` and > `servername=(name)` to smtp(1). > * Allowed specification of TLS ciphers and protocols in smtp(1). > - OpenBSD 7.1: > * Stop verifying the cert or CA for a relay using opportunistic TLS. > * Enabled TLS verify by default for outbound "smtps://" and > "smtp+tls://", restoring documented smtpd(8) behavior. > - OpenBSD 7.3: > * Prevented smtpd(8) abort due to a connection from a local, > scoped ipv6 address. > > Portable layer changes: > - libbsd and libtls are now optionally used if found. > + Added `--with-libbsd`/`--without-libbsd` configure flag to enable > linking to libbsd-overlay. > + Added `--with-bundled-libtls` to force the usage of the bundled > libtls. > > LibreTLS 3.7.0 (last version at the time of writing) and previous > have a regression with OpenSSL 3+, so please use the bundled one. > See the GitHub issue #1171 for more info. > > - Updated and cleanup of the OpenBSD compats. > + Ported `res_randomid()` from OpenBSD. > > - The configure option `--with-path-CAfile` shouldn't be required > anymore in most systems but it is retained since it could be useful in > some configuration when using the bundled libtls. > > - Various minor portability fixes. > > Checksums: > == > > SHA256 (opensmtpd-7.3.0p0.tar.gz) = > 2dd7a5a8ca127be7eb491540405684acb3dd04d93ad23d7709accd2b0450cae6 > > Verify: > === > > Starting with version 5.7.1, releases are signed with signify(1). > > You can obtain the public key from our website, check with our community > that it has not been altered on its way to your machine. > > $ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub > > Once you are confident the key is correct, you can verify the release as > described below: > > 1- download both release tarball and matching signature file to same > directory: > > $ wget https://www.opensmtpd.org/archives/opensmtpd-7.3.0p0.sum.sig > $ wget https://www.opensmtpd.org/archives/opensmtpd-7.3.0p0.tar.gz > > 2- use `signify` to verify that signature file is properly signed and that the > checksum matches the release tarball you downloaded: > > for portable version: > $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-7.3.0p0.sum.sig > Signature Verified > opensmtpd-7.3.0p0.tar.gz: OK > > If you don't get an OK message, then something is not right and you should not > install without first understanding why it failed. > >
