OpenSMTPD is a FREE implementation of the server-side SMTP protocol as defined by RFC 5321, with some additional standard extensions. It allows ordinary machines to exchange e-mails with other systems speaking the SMTP protocol. Started out of dissatisfaction with other implementations, OpenSMTPD nowadays is a fairly complete SMTP implementation. OpenSMTPD is primarily developed by Gilles Chehade, Eric Faurot and Charles Longeau; with contributions from various OpenBSD hackers. OpenSMTPD is part of the OpenBSD Project. The software is freely usable and re-usable by everyone under an ISC license.
This package uses standard "alternatives" mechanism, you may call "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.opensmtpd" if you want to switch to OpenSMTPD MTA immediately after install, and "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.sendmail" to revert back to Sendmail as a default mail daemon.
This package uses standard "alternatives" mechanism, you may call "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.opensmtpd" if you want to switch to OpenSMTPD MTA immediately after install, and "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.sendmail" to revert back to Sendmail as a default mail daemon.
| Original maintainer | Ryan Kavanagh |
|---|---|
| Homepage | http://www.opensmtpd.org/ |
6.6.4p1
6.0.3p1
6.0.2p1
5.7.3p2
Manual pages
smtp(1)
smtp - Simple Mail Transfer Protocol client
smtp.opensmtpd(1)
smtp - Simple Mail Transfer Protocol client
aliases(5)
aliases - Postfix local alias database format
aliases.opensmtpd(5)
aliases - aliases file for smtpd
forward(5)
forward - email forwarding information file
smtpd.conf(5)
smtpd.conf - Simple Mail Transfer Protocol daemon configuration file
table(5)
table - format description for smtpd tables
makemap(8)
makemap - create database maps for sendmail
makemap.opensmtpd(8)
makemap - create database maps for smtpd
newaliases(8)
newaliases - rebuild mail aliases
newaliases.opensmtpd(8)
newaliases - rebuild mail aliases
sendmail(8)
sendmail - a mail enqueuer for smtpd(8)
sendmail.opensmtpd(8)
sendmail - a mail enqueuer for smtpd(8)
smtpctl(8)
smtpctl, mailq - control the Simple Mail Transfer Protocol daemon
smtpd(8)
smtpd - Simple Mail Transfer Protocol daemon
smtpd.opensmtpd(8)
smtpd - Simple Mail Transfer Protocol daemon
Latest updates
Debian 10.0 buster-proposed-updates/main: Version 6.0.3p1-5+deb10u4 introduced
2020-03-05
- Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
OpenBSD 6.6 errata 021:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig
Debian 9.0 stretch-proposed-updates/main: Version 6.0.2p1-2+deb9u3 introduced
2020-03-05
- Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
OpenBSD 6.6 errata 021:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig
Fedora rawhide development/Everything-os: Updated from 6.0.3p1-8.fc31 to 6.6.4p1-2.fc33
2020-03-03
- Add "legacy_common_support" build option
Ubuntu 19.10 eoan-updates/universe: Updated from 6.0.3p1-6ubuntu0.1 to 6.0.3p1-6ubuntu0.2
2020-03-02
- SECURITY UPDATE: Local privilege escalation, remote code execution
- debian/patches/CVE-2020-8793_8794.patch: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
- CVE-2020-8793
- CVE-2020-8794
Ubuntu 19.10 eoan-security/universe: Updated from 6.0.3p1-6ubuntu0.1 to 6.0.3p1-6ubuntu0.2
2020-03-02
- SECURITY UPDATE: Local privilege escalation, remote code execution
- debian/patches/CVE-2020-8793_8794.patch: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
- CVE-2020-8793
- CVE-2020-8794
Ubuntu 18.04 LTS bionic-security/universe: Updated from 6.0.3p1-1ubuntu0.1 to 6.0.3p1-1ubuntu0.2
2020-03-02
- SECURITY UPDATE: Local privilege escalation, remote code execution
- debian/patches/CVE-2020-8793_8794.patch: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
- CVE-2020-8793
- CVE-2020-8794
Ubuntu 18.04 LTS bionic-updates/universe: Updated from 6.0.3p1-1ubuntu0.1 to 6.0.3p1-1ubuntu0.2
2020-03-02
- SECURITY UPDATE: Local privilege escalation, remote code execution
- debian/patches/CVE-2020-8793_8794.patch: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
- CVE-2020-8793
- CVE-2020-8794
Ubuntu 20.04 focal-proposed/universe: Version 6.6.4p1-1 removed
2020-03-01
Ubuntu 20.04 focal/universe: Updated from 6.6.2p1-1 to 6.6.4p1-1
2020-03-01
- New upstream release fixes critical security bug (Closes: #952453). Quoting from OpenBSD errata:
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
- Update copyright file with new copyright holders
- Remove stale entries from Uploaders field
Ubuntu 20.04 focal-proposed/universe: Version 6.6.4p1-1 introduced
2020-02-25
- New upstream release fixes critical security bug (Closes: #952453). Quoting from OpenBSD errata:
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
- Update copyright file with new copyright holders
- Remove stale entries from Uploaders field
Debian 10.0 buster-backports/main: Updated from 6.6.2p1-1~bpo10+1 to 6.6.4p1-1~bpo10+1
2020-02-25
- Rebuild for buster-backports.
- Fixes major security bug (Closes: #952453).
Arch rolling community/os: Updated from 6.6.3p1-1 to 6.6.4p1-1
2020-02-24
Arch rolling community/os: Updated from 6.6.2p1-1 to 6.6.3p1-1
2020-02-11
Debian 10.0 buster-proposed-updates/main: Version 6.0.3p1-5+deb10u3 removed
2020-02-08
Debian 10.0 buster/main: Updated from 6.0.3p1-5 to 6.0.3p1-5+deb10u3
2020-02-08
- Fix two major security bugs (Closes: #950121) (CVE-2020-7247)
- smtpd can crash on opportunistic TLS downgrade, causing a denial of service. OpenBSD 6.6 errata 018:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig - Fix privilege escalation vulnerability: An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user. OpenBSD 6.6 errata 019:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
- smtpd can crash on opportunistic TLS downgrade, causing a denial of service. OpenBSD 6.6 errata 018:
Debian 9.0 stretch-proposed-updates/main: Version 6.0.2p1-2+deb9u2 removed
2020-02-08
Debian 9.0 stretch/main: Updated from 6.0.2p1-2 to 6.0.2p1-2+deb9u2
2020-02-08
- Fix following vulnerability, 018_smtpd_tls.patch.sig: smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
Ubuntu 19.10 eoan-updates/universe: Version 6.0.3p1-6ubuntu0.1 introduced
2020-02-05
- SECURITY UPDATE: Arbitrary command execution as root
- debian/patches/CVE-2020-7247.patch: Fix a security vulnerability discovered by Qualys which can lead to a privileges escalation on mbox deliveries and unprivileged code execution on lmtp deliveries, due to a logic issue causing a sanity check to be missed.
- CVE-2020-7247
Ubuntu 18.04 LTS bionic-updates/universe: Version 6.0.3p1-1ubuntu0.1 introduced
2020-02-05
- SECURITY UPDATE: Arbitrary command execution as root
- debian/patches/CVE-2020-7247.patch: Fix a security vulnerability discovered by Qualys which can lead to a privileges escalation on mbox deliveries and unprivileged code execution on lmtp deliveries, due to a logic issue causing a sanity check to be missed.
- CVE-2020-7247
Ubuntu 19.10 eoan-security/universe: Version 6.0.3p1-6ubuntu0.1 introduced
2020-02-05
- SECURITY UPDATE: Arbitrary command execution as root
- debian/patches/CVE-2020-7247.patch: Fix a security vulnerability discovered by Qualys which can lead to a privileges escalation on mbox deliveries and unprivileged code execution on lmtp deliveries, due to a logic issue causing a sanity check to be missed.
- CVE-2020-7247
Related packages
opensmtpd-debuginfo - Debug information for package opensmtpd
opensmtpd-debugsource - Debug sources for package opensmtpd
opensmtpd-extras - addons for the OpenSMTPD SMTP server
opensmtpd-extras-experimental - experimental addons for the OpenSMTPD SMTP server
opensmtpd-filter-rspamd - OpenSMTPD filter integration for Rspamd
opensmtpd-filter-senderscore - OpenSMTPD filter integration for Sender Score
