Subject: Announce: OpenSMTPD 5.9.2 released OpenSMTPD 5.9.2 has just been released. OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases. It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and Linux. The archives are now available from the main site at www.OpenSMTPD.org We would like to thank the OpenSMTPD community for their help in testing the snapshots, reporting bugs, contributing code and packaging for other systems. This is a major release with reliability fixes mostly. Issues fixed in this release (since 5.9.2): =========================================== - remove dead code - tons of code cleanup and simplification - tons of code adaptations to ease portability - reduce memory usage by invalidating envelopes cache earlier - simplify a great deal the smtp session code - get rid of 'kick' mechanism, we'll reintroduce a better one - all smtpd processes now use the pledge() API - kill support for 'dbm' db type, it cannot be made to work for us - introduce "listen on socket" - enqueuer is now setgid to avoid attacks against offline queue [1] - fix mailq / smtpctl show queue breakage - plug two memory leaks and one descriptor leak - fix error code path for delivery loop that can lead to a fatal() [1] follow-up to the Qualys Security audit fixes from 5.7.3 Checksums: ========== SHA256 (opensmtpd-5.9.2.tar.gz) = 837536838a11fb7ce09a61c49675ea73975a25997dda652bb13c75cc759f7bfc SHA256 (opensmtpd-5.9.2p1.tar.gz) = 3522f273c1630c781facdb2b921228e338ed4e651909316735df775d6a70a71d Verify: ======= Starting with version 5.7.1, releases are signed with signify(1). You can obtain the public key from our website, check with our community that it has not been altered on its way to your machine. Once you are confident the key is correct, you can verify the release as described below: 1- download both release tarball and matching signature file to same directory: for OpenBSD version: $ wget https://www.opensmtpd.org/archives/opensmtpd-5.9.2.sum.sig $ wget https://www.opensmtpd.org/archives/opensmtpd-5.9.2.tar.gz for portable version: $ wget https://www.opensmtpd.org/archives/opensmtpd-5.9.2p1.sum.sig $ wget https://www.opensmtpd.org/archives/opensmtpd-5.9.2p1.tar.gz 2- use `signify` to verify that signature file is properly signed and that the checksum matches the release tarball you downloaded: for OpenBSD version: $ signify -C -p opensmtpd.pub -x opensmtpd-5.9.2.sum.sig Signature Verified opensmtpd-5.9.2.tar.gz: OK for portable version: $ signify -C -p opensmtpd.pub -x opensmtpd-5.9.2p1.sum.sig Signature Verified opensmtpd-5.9.2p1.tar.gz: OK If you don't get an OK message, then something is not right and you should not install without first understanding why it failed. Support: ======== You are encouraged to register to our general purpose mailing-list: http://www.opensmtpd.org/list.html The "Official" IRC channel for the project is at: #OpenSMTPD @ irc.freenode.net Reporting Bugs: =============== Please read http://www.opensmtpd.org/report.html Security bugs should be reported directly to security@opensmtpd.org Other bugs may be reported to bugs@opensmtpd.org OpenSMTPD is brought to you by Gilles Chehade, Eric Faurot and Sunil Nimmagadda.