BSDSec

deadsimple BSD Security Advisories and Announcements

OpenSMTPD 7.6.0p0 Released

OpenSMTPD is a FREE implementation of the SMTP protocol with some common
extensions. It allows ordinary machines to exchange e-mails with systems
speaking the SMTP protocol. It implements a fairly large part of RFC5321
and can already cover a large range of use-cases.

It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX.

The archives are now available from the main site at www.OpenSMTPD.org

We would like to thank the OpenSMTPD community for their help in testing
the snapshots, reporting bugs, contributing code and packaging for other
systems.

This is a major release with multiple bug fixes and new features.


Dependencies note:
==================

This release builds with LibreSSL, or OpenSSL >= 1.1.

It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. OpenSSL library is considered as a best effort
target TLS library and provided as a commodity, LibreSSL has become our
target TLS library.


Changes in this release:
========================


 - Introduced a new K_AUTH service to allow offloading the credentials
   to a proc table for non-crypt(3) authentication.  Helps with use
   cases like LDAP or custom auth.

 - Implement report responses for proc-filters too.

 - Changed the table protocol to a simpler text-based one.  Existing
   proc tables needs to be updated since old ones won't work.  The new
   protocol is documented in smtpd-tables(7).

 - Fixed the parsing of IPv6 addresses in file-backed table(5)

 - Document expected MDA behavior and the environment set by OpenSMTPD.

 - Set ORIGINAL_RECIPIENT in the environment of MDA scripts for
   compatibility with postfix.

 - Updated the bundled libtls.



Checksums:
==========

  SHA256 (opensmtpd-7.6.0p0.tar.gz)   4cc7f8caf0ba74a2932361e17dd03bd1c938178347a91c7f0c57a68a50623ce5


Verify:
=======

Starting with version 5.7.1, releases are signed with signify(1).

You can obtain the public key from our website, check with our community
that it has not been altered on its way to your machine.

    $ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub

Once you are confident the key is correct, you can verify the release as
described below:

1. download both release tarball and matching signature file to same directory:

    $ wget https://www.opensmtpd.org/archives/opensmtpd-7.6.0p0.sum.sig
    $ wget https://www.opensmtpd.org/archives/opensmtpd-7.6.0p0.tar.gz


2. use `signify` to verify that signature file is properly signed and that the
   checksum matches the release tarball you downloaded:

    $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-7.6.0p0.sum.sig
    Signature Verified
    opensmtpd-7.6.0p0.tar.gz: OK


If you don't get an OK message, then something is not right and you should not
install without first understanding why it failed.


Support:
========

You are encouraged to register to our general purpose mailing-list:
    http://www.opensmtpd.org/list.html

The "Official" IRC channel for the project is at:
    #opensmtpd @ irc.libera.chat


Support us:
===========

The project is maintained by volunteers, you can support us by:

- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features

Get in touch with us by e-mail or on IRC for more informations.


Reporting Bugs:
===============

Please read http://www.opensmtpd.org/report.html
Security bugs should be reported directly to security@opensmtpd.org
Other bugs may be reported to bugs@opensmtpd.org