[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mailutils-3.8 released [stable]

From: Sergey Poznyakoff
Subject: mailutils-3.8 released [stable]
Date: Wed, 06 Nov 2019 13:52:40 +0200


This is to inform you that GNU mailutils version 3.8 is available for
download.  This stable release fixes an important security flaw and
introduces several new features.  Please see the end of this message
for details.

Here are the compressed sources:   (6.5MB)  (4.4MB)   (2.9MB)

Here are the GPG detached signatures[*]:

Use a mirror for higher download bandwidth:

Here are the MD5 and SHA1 checksums:

8329ccc1ffd59721c7fd2c376c0ff9e7  mailutils-3.8.tar.gz
f5415d18bca06eaff82e6c225810999a  mailutils-3.8.tar.bz2
283f803ea2057d50ecabf9fd8de9b776  mailutils-3.8.tar.xz
f650fa52721b32fe2f7b2cbc4a479aa793880c4a  mailutils-3.8.tar.gz
2b751b7dc831f7b28162656f83ed815cafba936a  mailutils-3.8.tar.bz2
5ef6f6c58b95c24acf1181c53586ff1f09de25c0  mailutils-3.8.tar.xz

[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify mailutils-3.8.tar.gz.sig

If that command fails because you don't have the required public key,
then run this command to import it:

  gpg --keyserver --recv-keys 3602B07F55D0C732

and rerun the 'gpg --verify' command.

Important changes in this release:

* The maidag utility is withdrawn

The main purpose of this utility was to work as local mail delivery
agent (MDA), a program responsible for final delivery of email messages
to the recipient's mailbox.  As such it required suid privileges.

In parallel with its main purpose, it also was able to work in two
other modes: the 'url' mode, designed to deliver mails to arbitrary
mailbox URLs, and 'lmtp' mode, in which it acted as local mail
transport daemon.  Neither of these needed suid privileges.

The unfortunate design decision to combine the three modes in a single
versatile tool resulted in local privilege escalation threat in 'url'

To fix this, maidag has been replaced by three different utilities,
each one with a precisely defined purpose and carefully designed
privileges: mda, lmtpd, and putmail.

* mda

GNU Mail Delivery Agent, the program used by mail transport agent for
local mail delivery.  MTA starts it with non-root privileges, so it
needs the setuid bit in order to be able to assume the recipient's
identity when delivering mail.  User input is limited to the actual
message, which is read from the standard input.  The usual flexible
mailutils configuration subsystem is disabled in this utility, all
settings being read from the main configuration file only.  This file
is writable only for root.  Configuration settings cannot be altered
from the command line.

The command line usage is mostly compatible with the maidag, which
facilitates transition to mda.

* lmtpd

GNU Local Mail Transfer Protocol daemon.  Normally it is started by
root and remains in the background serving LMTP connections from the

* putmail

A user tool for delivering messages to the specified mailbox URL.
Runs with user privileges.  This provides the functionality of 'maidag
--url', without any security implications.

* Use of TLS in pop3d run from inetd

New global configuration statement "tls-mode" configures the TLS for
use in inetd mode.
The certificate and key files are configured by the global "tls"
compound statement.
Example configuration (pop3s server):
  mode inetd;
  tls-mode connection;
  tls {
      ssl-key-file /etc/ssl/key.pem;
      ssl-certificate-file /etc/ssl/cert.pem;

* comsatd --test

The --test option takes optional argument: name of the tty or file to
use for reporting.

* mail

** fix the semantics of 'hold' and 'keepsave' variables

** New message type specification ":s"

Selects messages in state 'saved'.

Best regards,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]