OpenSMTPD Security

OpenSMTPD is developed with the same rigorous security process that the OpenBSD group is famous for. If you wish to report a security issue in OpenSMTPD, please contact the private developers list <security@opensmtpd.org>.

For more information, see the OpenBSD security page.

• OpenSMTPD 5.4.5 Security Advisories

  These are the OpenSMTPD 5.4.5 advisories -- all these problems are solved in our repository as well as in newer snapshots and releases.
  • June 19, 2015: A logic error can allow a local user to crash the server.
  • October 1, 2015: Fix multiple reliability and security issues in smtpd.

• OpenSMTPD 5.4.4 Security Advisories

  These are the OpenSMTPD 5.4.4 advisories -- all these problems are solved in our repository as well as in newer snapshots and releases.
  • April 17, 2015: OpenSMTPD's SSL layer has a bug in the handling of SNI negotiation which can lead to an attacker causing an invalid certificate being presented to a concurrent session, a client disconnect or a server crash.

• OpenSMTPD 5.3.1 Security Advisories

  These are the OpenSMTPD 5.3.1 advisories -- all these problems are solved in our repository as well as in newer snapshots and releases.
  • May 16, 2013: OpenSMTPD's SSL layer has a bug in the IO events handler which can cause an evil client or server to hang all active SSL sessions until they timeout, causing a DoS in smtp and transfer processes.