TL;DR: deraadt@ thought it would be nice to have a spf fetch utility in base. Aaron Poffenberger wrote a shell-based `spf_fetch` utility. I wrote a C-based `spfwalk` utility that's `pledge()`-ed. The `spfwalk` utility got merged to `smtpctl`. What’s SPF in a few words SPF is the Sender Policy Framework, a standard to verify the domain name of an e-mail sender. Long story short, the SMTP protocol does not come with a way to authenticate a domain and, during an SMTP session, nothing really prevents a sender from pretending to come from any domain: [Read More]

News from the front !

TL;DR: Came very close to a burn out late 2016, had to quit former employer. Started working at another company early 2017. Became a student again, currently halfway through second year in psychology. Haven't done much opensource since early 2017, slowly resuming. Happy new year ! I wish you a very happy new year 2018 and hope that you succeed in whatever you attempt. It feels odd to write again to this blog considering the last blog post dates from September 2016, over a year ago. [Read More]

OpenSMTPD 6.0.0 is released !

TL;DR: We just released OpenSMTPD 6.0.0 and it's quite different from former releases. Turns out most of the changes are not visible. A featureless release I managed to wrap the 6.0.0 release yesterday. Unlike most of our releases, it comes out with almost no new feature. The changelog fits in less than 10 lines as follows: - new fork+reexec model so each process has its own randomized memory space - logging format has been reworked - a "multi-line response" bug in the LMTP delivery backend has been fixed - connections concurrency limits have been bumped - artificial delaying in remote sessions have been reduced - dhparams option has been removed - dhe option has been added, supporting auto and legacy modes - smtp engine has been simplified - various cosmethic changes, code cleanup and documentation improvement Seems like a very productive slacking, however some of these changes turn out to be very interesting in terms of code simplification and security. [Read More]

Home, sweet home

TL;DR: OpenSMTPD on github no longer diverges from OpenBSD. Since last episode Sometime this year, we released OpenSMTPD 5.7.1 which was the first version that shipped with the long-awaited experimental filters support. The result of over a year and a half of very very deep refactor in our IO layer and the addition of a very elegant but also very tricky new API. This refactor took place outside the OpenBSD tree because it required breaking a lot of code for extended period of times, which spanned over 3 OpenBSD releases. [Read More]

The state of filters

TL;DR: yeeeees, filters are coming. don't believe us ? here's an example. be patient. On my death bed On my death bed, when my life flashes before my eyes and I start recalling what people have told me during my (hopefully long) lifetime, these sentences will single out: “When will OpenSMTPD support filters ? I need it.” Not that it carries a philosophical meaning that will have taken me a lifetime of thinking, but because for the last three years I have been hearing this every time I met someone IRL and discussed OpenSMTPD, I have read it on our Github issues tracker, on GTalk, on IRC, on Twitter, on Facebook, on random forums, and just this week three times in my mailbox. [Read More]

Some OpenSMTPD overview, part 3

EHLO, This is the third post of a series about OpenSMTPD improvements that have taken place since this summer. Content altering For a long time, we have developed OpenSMTPD with a strict rule that the daemon should not alter DATA (as in the DATA SMTP phase) in any way. The rationale was that by enforcing that rule, the message writing was simplified as the smtp process would simply read data from a client and write it, without any post-processing, to a file descriptor. [Read More]

Some OpenSMTPD overview, part 2

Why we killed the MFA (filter) process For as long as I can remember, a process called MFA was created by OpenSMTPD at start time. MFA stood for “Mail Filter Agent” and the goal of that process was initially to take care of all filtering tasks ranging from filtering senders based on the ruleset matching to starting and controlling filters. As time passed by, we figured the lookup process was better suited for ruleset matching and the MFA process became mostly idle, we renamed it to “filter” process since the only thing it had to do was take care of starting filters and making sure they had the proper environment. [Read More]

Some OpenSMTPD overview, part 1

EHLO world ! Yesterday I thought I’d write a first OpenSMTPD-related post to sum up the changes that have happened since this summer but it turned out to be painful as they amount to quite a lot. Instead, I think a better strategy is to split this into a serie of smaller posts focused on the specific changes ;-) So, in June I have organized a mini hackathon at my brand new place and invited some of the French Connection at home. [Read More]

what the fsck did just happen

Good news everyone ! With last post dating from almost a year, we can all agree that I’ve outpassed my slacking skills by a great margin and I probably deserve an award of some kind ;-) Anyways, there’s been a few complaints during these 12 months because this blog was the main source of information for the OpenSMTPD project and several posts which used to describe features and configuration samples had suddenly disappeared. [Read More]


EHLO readers, This blog post is the first since a few months, I’ve been busy and struggling with some personal health and familial issues. I won’t share them here as its not really something anyone can help with, so… let’s focus on OpenSMTPD ! What happened since last post When I wrote the last blog post, we had just released 5.3.2 which was a minor release that fixed a few non-critical bugs that were reported to us since the first major release a few months earlier. [Read More]