Public
- Public
- Network
- Groups
- Featured
- Popular
- People

@poolpOrgpoolpOrg wrote: > Users can avoid dangerous code by not using action mbox, is that correct? In a vulnerable OpenSMTPD, only maildir is safe. On a fix OpenSMTPD, yes you are right: only action mbox is dangerous. I'm working with other OpenBSD hackers on lifting the requirement for privileges in mail.local so that OpenSMTPD can consider it similar to any other delivery method and it will no longer be dangerous.

Download link

@poolpOrgpoolpOrg wrote: > Users can avoid dangerous code by not using action mbox, is that correct? In a vulnerable OpenSMTPD, only maildir is safe. On a fix OpenSMTPD, yes you are right: only action mbox is dangerous. I'm working with other OpenBSD hackers on lifting the requirement for privileges in mail.local so that OpenSMTPD can consider it similar to any other delivery method and it will no longer be dangerous.
https://misskey-taube.s3.eu-central-1.wasabisys.com/files/20617ed8-bf67-4124-b967-d323bfd57792.webp

Notices where this attachment appears

Embed this notice
niconiconi (niconiconi@mk.absturztau.be)'s status on Tuesday, 20-Aug-2024 19:34:16 JST niconiconi

When I was installing my first mail server years ago, I saw mbox and thought, "Seriously? Who still uses this ancient format from the original Unix..." and changed that to Maildir without thinking. When reviewing old news today, TIL I unconsciously hardened my server from that infamous 2020 OpenSMTPD root exploit. :blobcatlul: Turned out the ancient mbox format also made it difficult to drop privileges... Also, @lanodan@queer.hacktivis.me, hi. https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/

In conversation about 3 months ago from mk.absturztau.be permalink