20 May 2020
What's notqmail?
It's software for running an email server. See About for more information.
What's new?
This release of notqmail is guided by two themes: fix bugs and reduce bug likelihood.
Fix bugs
- Vulnerabilities we've inherited from qmail 1.03, reported by Qualys. (#128, #133)
- CVE-2005-1515: fix signedness wraparound in substdio_{put,bput}().
- CVE-2005-1514: fix possible signed integer overflow in commands().
- CVE-2005-1513: fix integer overflow in stralloc_readyplus().
- Fix several other places where variables could overflow.
 
- CVE-2005-1515: fix signedness wraparound in 
- qmail-pop3d: instead of running as root if root authenticates (and being a vector for a dictionary attack on the root password), exit 1 to look just like a failed- checkpasswordlogin. (#92)
- qmail-inject: do not parse header recipients if- -ais given. (#8)
- Correctly detect multiple IP addresses on the same interface. (#96)
- Remove workaround for ancient DNS servers that do not properly support CNAME. Patch by Jonathan de Boyne Pollard that was floating around the net for years. (#97)
- Fix possible integer overflow in alloc(). (#109)
Reduce bug likelihood
- Remove dnscnameanddnsmxipprograms that were being built but not installed. (#69)
- Remove systypeand related platform detection. (#34)
- Remove unused variable in maildir.c. (#78)
- Reduce variable scope in tcpto.c. (#111)
- Avoid local variables shadowing same-named globals. (#113)
- Avoid needing exit.hin named-pipe bug check. (#108)
- Add a testtarget and some unit tests, using Check. (#102)
- Add missing function declarations in cdbmss.h,scan.h. (#64)
- Add missing return types to main(). (#85)
- Add hier.hfor inclusion ininstcheck.c,instchown.c,instpackage.c. (#64)
- Use system headers and types instead of the HASSHORTSETGROUPScheck. (#72)
- Use system headers instead of redeclaring exit(),read(),write(),malloc(),free(),fork(),uint32_t. (#79, #80, #81, #82, #101, #30)
- Use C89 function signatures for code we've touched so far. (#100)
- Automated builds:
- TravisCI: move setting MAKEFLAGSout of the script and into the matrix. (#58)
- Add FreeBSD builds with CirrusCI. (#98)
- Add a GitHub Actions build. (#131)
 
- TravisCI: move setting 
Other changes
- Remove DJB's TODO. (#68)
- Replace many pobox.comURLs. (#54)
- Acknowledge Erik Sjölund's qmail-local.cbugfix that we've inherited from netqmail. (#118)
- Avoid generating catted manpages by building with NROFF=true. (#116, #132, #134)
- Optionally create a systemdservice file. (#114)
- Run an alternate qmail-remoteby settingQMAILREMOTEinqmail-send's environment. (#46)
Intent to remove
In the course of developing this release, we found programs that we intend to remove in the next release. We believe none of these remains necessary or useful enough to be worth the cost of maintaining. If you disagree, please let us know!
- Remove qsmhook, long since replaced bypreline. (#87)
- Remove inefficient maildirwatch. (#93)
- Remove obsolete mail client wrappers. (#99, #110)
- Remove qmail-pop3d, since Maildir is well supported by actively maintained POP3 servers (e.g., Courier IMAP or Dovecot).
Thanks
We thank Qualys for their findings, collaborative approach, and impetus to cut a new release.
GitHub references
- All closed 1.08 issues
- All closed 1.08 PRs
How to install
See Install.
Getting help
See Help.