This version fixes a security problem that affects version 1.8.2 (older versions are not affected):
when the new default value system for tls_trust_file is used, the result
of certificate verification was not properly checked.
Update 2019-02-14: This problem has been assigned CVE-2019-8337. This is the patch that fixes it (included in version 1.8.3).
This version simplifies configuration:
--configure user@example.com option automatically
generates a configuration for the given mail address. This works for domains
that publish appropriate SRV records (as they should according to RFC 8314).tls on to activate TLS because
there is a new default value for tls_trust_file that selects
the system default trust.This version fixes a bug that broke TLS 1.3 support.
If you do not want to upgrade to the 1.8 series yet but you need TLS 1.3 support, you can apply this patch to msmtp version 1.6.8 or 1.4.32.
This is the first release of the new stable release series. Noteworthy changes since 1.6.8:
--without-msmtpd.passwordeval command does not require the password to be terminated by a
new line character anymore.logfile_time_format command allows to customize log file time stamps.This is a release candidate for the upcoming 1.8.x stable release series. The following changes were made:
--without-msmtpd.It is recommended to use msmtp with GnuTLS instead of OpenSSL. The upcoming version of msmtp will not use OpenSSL automatically anymore, and if you choose it manually, you will get a warning.
The reason for this is that the OpenSSL-related code in msmtp is essentially
unmaintained. I don't work on it myself anymore, and the last time somebody
sent a patch was 8 years ago.
As a result, if you use msmtp with OpenSSL today, you don't get support for
TLS SNI, --tls-priorities, --tls-crl-file, or
--tls-min-dh-prime-bits.
The code is hard to read, maintain, and improve due to severe limitations in the usability and documentation of the OpenSSL API. A few examples:
time_t.
This is insane, as both actions are required by virtually all TLS clients
and are hard to get right, see e.g.
here and
here.
Any usable TLS library must provide such functions. I understand that OpenSSL
1.1.0 finally added support for host name verification, but it still leaves you
alone with the terrible ASN1 time representation.Complexity is the enemy of security. I have given up on OpenSSL years ago and will not work to improve and update the OpenSSL-related code in msmtp. If someone wants to do that work, I will accept patches, but I will continue to recommend using GnuTLS instead. If the OpenSSL support in msmtp remains in its current state, it will eventually be removed.
There is an experimental new feature in the git repository: msmtpd, a minimal SMTP server
that listens on a local interface and pipes each incoming mail to msmtp (or a different program).
It is intended to be used with system services that expect an SMTP server on the local host and
cannot be configured to use the sendmail interface that msmtp provides.
If you are interested, use configure --with-msmtpd to enable it, and let us know
what you think.
New in this release:
--source-ip option or source_ip commandNew in this release:
~/.config/msmtp/config as configuration fileThe main git repository at gitlab.marlam.de/marlam/msmtp is now mirrored at github.com/marlam/msmtp-mirror.
After many years, this project moved from Sourceforge to a self-hosted gitlab instance:
https://gitlab.marlam.de/marlam/msmtp.
Older news are stored in the news archive.