Skip to content

[SECURITY] maddy 0.7.1

Latest
Compare
Choose a tag to compare
@foxcpp foxcpp released this 23 Jan 21:54
· 25 commits to master since this release
v0.7.1
59d9435

This release, among other fixes, includes the fix for the zero-day "SMTP smuggling" vulnerability. Detailed analysis: https://www.postfix.org/smtp-smuggling.html Until 0.7.1 maddy was a "email service B".

Fixes

  • cfgparser: Do not interpet absolute paths relatively to the config dir (#592).
  • target/remote: Fix isVerifyError not working correctly on Go 1.20 (#612).
  • smtpconn/pool: Fix idle connections almost never cleaned up (#596).
  • target/remote: Fix wrong DNS query type in DANE lookups for IPv6-only hosts (#631).
  • [SECURITY] go-smtp: Mitigate SMTP smuggling issue (#661).
  • endpoint/smtp: Detect cancelled rDNS lookup correctly (#626).
  • check/spf: Handle empty MAIL FROM in accordance with RFC 7208.

Misc

  • storage/imapsql: Add support for transpiled SQLite driver

Tests

  • Fix cover_test.go deadlock on Go 1.20.

Distribution & packaging

  • build.sh: Allow to run ./build.sh install without go command available (#569).
  • dist/systemd: Ease umask restrictions, making files RW for maddy group (#569).
  • dist/systemd: Depend on network-online.target (#617).

Documentation

  • Improve Markdown formatting and grammar (#600, #614, #662).
  • Fix a bunch of links being broken (#601, #602, #667).
  • email_with_domains -> email_with_domain (#609, #613).
  • Fix wrong SPF record suggestion (#640).
  • Fix number of sigs for modifiers.dkim sign_fields (#643).
  • Explicitly mention that referencing config block from global directive won't work.