Hi folks, Like many others, when I learned that OpenBSD was creating from scratch an SMTP daemon, I was thrilled. The OpenBSD name has for a long time been connected with security, stability, and reliability. I was excited to see an extremely easy to configure yet powerful SMTP daemon coming from such a venerable project as OpenBSD. Overtime, OpenSMTPD has replaced all other mail daemons for me, and I've been pleased to use another OpenBSD project as part of my critical infrastructure. Code from OpenBSD is code that the community has learned to trust, a reputation matched by few other projects.
It has been, therefore, to my extreme dismay to discover in recent months the sheer number of critical security vulnerabilities - in some cases, remotely exploitable - in OpenSMTPD. Just this past week, Qualys has reported an impressive audit result [1], with a scary remote code execution vulnerability among others, and last night I discovered a remotely exploitable buffer overflow that was being triggered in the wild [2]. If you comb through the OpenSMTPD misc mailing list, you'll find scattered reports of other similar bugs -- buffer overflows, remote denial of service vectors, and a host of other nasty glitches and security vulnerabilities -- and if you look at the CVS repository or git repository, you'll see other such goodies baked in there; most of them haven't been publicly revealed as security vulnerabilities and were not assigned CVEs, which is an irreverent point for most reasonably skilled malicious actors. The fact is, OpenSMTPD has suffered a disproportionately high number of security issues, especially for a daemon as important as it. It is not living up to OpenBSD's reputation, and it threatens the OpenBSD.org frontpage security claim. I do not any longer believe OpenSMTPD to be software that is trustable for use in critical infrastructure at this point in time. Personally, I am very attached to OpenSMTPD. I have contributed to its development in, what I think to be, significant ways, and I maintain both distribution packages for it (Gentoo), as well as my entire infrastructure, which is based on OpenSMTPD. I've "bet the farm" on the project, so to speak. But I think it's time we take a step back and reassess the situation. There are some critical questions that need to be answered. What accounts for the high proportion of security vulnerabilities in a project renowned for its brilliant developers and stringent review processes? Do the OpenSMTPD developers have time -- and have they displayed a presence of necessary free time -- to keep the project healthy and moving toward stability at an acceptable pace? Have the correct standards of releases been applied to the OpenSMTPD release process? And most importantly: should OpenSMTPD continue to be a part of the core OpenBSD project? Or should it rather spend some time maturing and securing commitments from developers for maintaining it in a consistent manner, before being accepted by such a reputable organization as OpenBSD? Finally, if OpenSMTPD does continue to exist as a part of core OpenBSD, I would strongly recommend some effort is organized to bring top quality code reviewers and auditors to the source code, in order to give the project the eyeballs it deserves. It would be a great boost in confidence for many who use - or hoped to someday use - OpenSMTPD to see that intelligent minds, capable of securing large codebases, have put their efforts into making it secure. I hope this can begin some discussion on the best way forward toward making OpenSMTPD a piece of infrastructure we can trust. My best wishes for the project. Regards, Jason [1] http://seclists.org/oss-sec/2015/q4/17 [2] http://seclists.org/oss-sec/2015/q4/25
