deadsimple BSD Security Advisories and Announcements

OpenSMTPD 7.3.0p0 released

OpenSMTPD 7.3.0p0 has just been released.

OpenSMTPD is a FREE implementation of the SMTP protocol with some common
extensions. It allows ordinary machines to exchange e-mails with systems
speaking the SMTP protocol. It implements a fairly large part of RFC5321
and can already cover a large range of use-cases.

It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX.

The archives are now available from the main site at

We would like to thank the OpenSMTPD community for their help in testing
the snapshots, reporting bugs, contributing code and packaging for other

This is a major release with multiple bug fixes and new features.

Dependencies note:

This release builds with LibreSSL, or OpenSSL > 1.1.1 optionally with

LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use
the bundled one using the `--with-bundled-libtls' configure flag until
it is updated.

It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. OpenSSL library is considered as a best effort
target TLS library and provided as a commodity, LibreSSL has become our
target TLS library.

Changes in this release:

Includes the following security fixes:
  - OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a
    connection from a local, scoped ipv6 address"
  - OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver"

Configuration changes:
  - The certificate to use is now selected by looking at the names
    found in the certificates themselves rather than the `pki' name.
    The set of certificates for a TLS listener must be defined
    explicitly by using the `pki' listener option multiple times.

Synced with OpenBSD 7.3:
  - OpenBSD 6.9:
    * Introduced smtp(1) `-a' to perform authentication before sending
      a message.
    * Fixed a memory leak in smtpd(8) resolver.
    * Prevented a crash due to premature release of resources by the
      smtpd(8) filter state machine.
    * Switch to libtls internally.
    * Change the way SNI works in smtpd.conf(5).  TLS listeners may be
      configured with multiple certificates.  The matching is based on
      the names included in the certificates.
    * Allow to specify TLS protocols and ciphers per listener and
      relay action.
  - OpenBSD 7.0:
    * Fixed incorrect status code for expired mails resulting in
      misleading bounce report in smtpd(8).
    * Added TLS options `cafile=(path)', `nosni', `noverify' and
      `servername=(name)' to smtp(1).
    * Allowed specification of TLS ciphers and protocols in smtp(1).
  - OpenBSD 7.1:
    * Stop verifying the cert or CA for a relay using opportunistic TLS.
    * Enabled TLS verify by default for outbound "smtps://" and
      "smtp+tls://", restoring documented smtpd(8) behavior.
  - OpenBSD 7.3:
    * Prevented smtpd(8) abort due to a connection from a local,
      scoped ipv6 address.

Portable layer changes:
  - libbsd and libtls are now optionally used if found.
    + Added `--with-libbsd'/`--without-libbsd' configure flag to enable
      linking to libbsd-overlay.
    + Added `--with-bundled-libtls' to force the usage of the bundled

      LibreTLS 3.7.0 (last version at the time of writing) and previous
      have a regression with OpenSSL 3+, so please use the bundled one.
      See the GitHub issue #1171 for more info.

  - Updated and cleanup of the OpenBSD compats.
    + Ported res_randomid() from OpenBSD.

  - The configure option `--with-path-CAfile' shouldn't be required
    anymore in most systems but it is retained since it could be useful in
    some configuration when using the bundled libtls.

  - Various minor portability fixes.


  SHA256 (opensmtpd-7.3.0p0.tar.gz)   2dd7a5a8ca127be7eb491540405684acb3dd04d93ad23d7709accd2b0450cae6


Starting with version 5.7.1, releases are signed with signify(1).

You can obtain the public key from our website, check with our community
that it has not been altered on its way to your machine.

   $ wget

Once you are confident the key is correct, you can verify the release as
described below:

1- download both release tarball and matching signature file to same directory:

   $ wget
   $ wget

2- use signify(1) to verify that signature file is properly signed and that the
   checksum matches the release tarball you downloaded:

   for portable version:
   $ signify -C -e -p -x opensmtpd-7.3.0p0.sum.sig
   Signature Verified
   opensmtpd-7.3.0p0.tar.gz: OK

If you don't get an OK message, then something is not right and you should not
install without first understanding why it failed.


You are encouraged to register to our general purpose mailing-list:

The "Official" IRC channel for the project is at:
    #opensmtpd @

Support us:

The project is maintained by volunteers, you can support us by:

- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features

Get in touch with us by e-mail or on IRC for more informations.

Reporting Bugs:

Please read
Security bugs should be reported directly to
Other bugs may be reported to