Hi!
chasquid v1.13 has been released.
chasquid is an SMTP (email) server with a focus on simplicity, security,
and ease of operation. It's written in Go, and is open source under the
Apache license 2.0.
See
https://blitiri.com.ar/p/chasquid/ for more information.
Security fixes:
- Strict CRLF enforcement in DATA contents, to prevent SMTP smuggling
attacks [1].
RFC5322 and RFC5321 say that the only valid newline terminator in SMTP
is CRLF.
When an invalid newline terminator is found in an incoming message,
the connection is now aborted immediately (previous releases also
accepted LF-terminated lines).
The MTA courier now uses CRLF-terminated lines (previous releases used
LF-terminated lines).
Other changes:
- Add support for receive-only users.
- Reject empty listening addresses, to help prevent accidental
misconfiguration. To prevent chasquid from listening, just comment out
the entry in the config.
- docker/add-user.sh: Support getting email and password from env
variables.
Thank you!
Alberto
[1]:
https://www.postfix.org/smtp-smuggling.html