[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
mailutils-3.8 released [stable]
mailutils-3.8 released [stable]
Wed, 06 Nov 2019 13:52:40 +0200
This is to inform you that GNU mailutils version 3.8 is available for
download. This stable release fixes an important security flaw and
introduces several new features. Please see the end of this message
Here are the compressed sources:
Here are the GPG detached signatures[*]:
Use a mirror for higher download bandwidth:
Here are the MD5 and SHA1 checksums:
[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify mailutils-3.8.tar.gz.sig
If that command fails because you don't have the required public key,
then run this command to import it:
gpg --keyserver keys.gnupg.net --recv-keys 3602B07F55D0C732
and rerun the 'gpg --verify' command.
Important changes in this release:
* The maidag utility is withdrawn
The main purpose of this utility was to work as local mail delivery
agent (MDA), a program responsible for final delivery of email messages
to the recipient's mailbox. As such it required suid privileges.
In parallel with its main purpose, it also was able to work in two
other modes: the 'url' mode, designed to deliver mails to arbitrary
mailbox URLs, and 'lmtp' mode, in which it acted as local mail
transport daemon. Neither of these needed suid privileges.
The unfortunate design decision to combine the three modes in a single
versatile tool resulted in local privilege escalation threat in 'url'
To fix this, maidag has been replaced by three different utilities,
each one with a precisely defined purpose and carefully designed
privileges: mda, lmtpd, and putmail.
GNU Mail Delivery Agent, the program used by mail transport agent for
local mail delivery. MTA starts it with non-root privileges, so it
needs the setuid bit in order to be able to assume the recipient's
identity when delivering mail. User input is limited to the actual
message, which is read from the standard input. The usual flexible
mailutils configuration subsystem is disabled in this utility, all
settings being read from the main configuration file only. This file
is writable only for root. Configuration settings cannot be altered
from the command line.
The command line usage is mostly compatible with the maidag, which
facilitates transition to mda.
GNU Local Mail Transfer Protocol daemon. Normally it is started by
root and remains in the background serving LMTP connections from the
A user tool for delivering messages to the specified mailbox URL.
Runs with user privileges. This provides the functionality of 'maidag
--url', without any security implications.
* Use of TLS in pop3d run from inetd
New global configuration statement "tls-mode" configures the TLS for
use in inetd mode.
The certificate and key files are configured by the global "tls"
Example configuration (pop3s server):
* comsatd --test
The --test option takes optional argument: name of the tty or file to
use for reporting.
** fix the semantics of 'hold' and 'keepsave' variables
** New message type specification ":s"
Selects messages in state 'saved'.