20 May 2020

What's notqmail?

It's software for running an email server. See About for more information.

What's new?

This release of notqmail is guided by two themes: fix bugs and reduce bug likelihood.

Fix bugs

  • Vulnerabilities we've inherited from qmail 1.03, reported by Qualys. (#128, #133)
    • CVE-2005-1515: fix signedness wraparound in substdio_{put,bput}().
    • CVE-2005-1514: fix possible signed integer overflow in commands().
    • CVE-2005-1513: fix integer overflow in stralloc_readyplus().
    • Fix several other places where variables could overflow.
  • qmail-pop3d: instead of running as root if root authenticates (and being a vector for a dictionary attack on the root password), exit 1 to look just like a failed checkpassword login. (#92)
  • qmail-inject: do not parse header recipients if -a is given. (#8)
  • Correctly detect multiple IP addresses on the same interface. (#96)
  • Remove workaround for ancient DNS servers that do not properly support CNAME. Patch by Jonathan de Boyne Pollard that was floating around the net for years. (#97)
  • Fix possible integer overflow in alloc(). (#109)

Reduce bug likelihood

  • Remove dnscname and dnsmxip programs that were being built but not installed. (#69)
  • Remove systype and related platform detection. (#34)
  • Remove unused variable in maildir.c. (#78)
  • Reduce variable scope in tcpto.c. (#111)
  • Avoid local variables shadowing same-named globals. (#113)
  • Avoid needing exit.h in named-pipe bug check. (#108)
  • Add a test target and some unit tests, using Check. (#102)
  • Add missing function declarations in cdbmss.h, scan.h. (#64)
  • Add missing return types to main(). (#85)
  • Add hier.h for inclusion in instcheck.c, instchown.c, instpackage.c. (#64)
  • Use system headers and types instead of the HASSHORTSETGROUPS check. (#72)
  • Use system headers instead of redeclaring exit(), read(), write(), malloc(), free(), fork(), uint32_t. (#79, #80, #81, #82, #101, #30)
  • Use C89 function signatures for code we've touched so far. (#100)
  • Automated builds:
    • TravisCI: move setting MAKEFLAGS out of the script and into the matrix. (#58)
    • Add FreeBSD builds with CirrusCI. (#98)
    • Add a GitHub Actions build. (#131)

Other changes

  • Remove DJB's TODO. (#68)
  • Replace many pobox.com URLs. (#54)
  • Acknowledge Erik Sjölund's qmail-local.c bugfix that we've inherited from netqmail. (#118)
  • Avoid generating catted manpages by building with NROFF=true. (#116, #132, #134)
  • Optionally create a systemd service file. (#114)
  • Run an alternate qmail-remote by setting QMAILREMOTE in qmail-send's environment. (#46)

Intent to remove

In the course of developing this release, we found programs that we intend to remove in the next release. We believe none of these remains necessary or useful enough to be worth the cost of maintaining. If you disagree, please let us know!

  • Remove qsmhook, long since replaced by preline. (#87)
  • Remove inefficient maildirwatch. (#93)
  • Remove obsolete mail client wrappers. (#99, #110)
  • Remove qmail-pop3d, since Maildir is well supported by actively maintained POP3 servers (e.g., Courier IMAP or Dovecot).

Thanks

We thank Qualys for their findings, collaborative approach, and impetus to cut a new release.

GitHub references

How to install

See Install.

Getting help

See Help.