28

I just discovered that procmail website (http://www.procmail.org/) is down. I did some research about its status and it appears that the development of procmail has been dead since 2001. Even the old procmail maintainer recommends to remove it from openbsd ports because the code is in not safe (https://marc.info/?l=openbsd-ports&m=141634350915839&w=2). This is a bit scary, because unfixed bugs could lead to a remote code execution exploits. Recent Linux distributions (e.g. Ubuntu, Debian) still provide it, but is it still safe to use procmail?

JooMing
  • 815
  • 7
  • 11

2 Answers2

32

Procmail had not been maintained for quite a while, and its last maintainers suggested using alternative tools like Maildrop or Sieve. In 2022, v3.24 Two decades of fixes was released.

The reasons many distributions haven't seen this as a real security risk include:

  • Distributions may publish their own security patches regardless of the actual developers of the original software. They do. E.g., CVSS 10.0 CVE-2017-16844 was fixed for Debian in less than two months.
  • The mail it is processing has already passed a whole MTA including several syntax and content checks and spam filtering. It is not likely there would be anything that could trigger a vulnerability in the headers Procmail MDA compares in order to decide where to put the message.
  • The tasks Procmail usually perform are fairly simple.

So, yes and no. If you have any concerns in your environment, you do have alternatives.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • 7
    Thanks, this was helpful! I checked a Debian changelog of the procmail package and there are indeed quite a few security patches after 2001. Some of them a pretty scary. For example, overflows with malformed headers. So depending on the distribution, it still appears to be supported. – JooMing Oct 01 '17 at 10:08
  • I just adjusted the order of the reasons as this is the major reason actually. – Esa Jokinen Oct 01 '17 at 13:37
3

For what it's worth, as of 2023, Procmail's original author, Stephen van den Berg, has picked up maintenance of Procmail and started releasing bug fixes again.

Procmail 3.24 was released in March 2022 and is slowly making it to be the official version in Linux distros and other publishing channels. The release summary for this version is "two decades of fixes."

https://github.com/BuGlessRB/procmail

tripleee
  • 1,416
  • 3
  • 15
  • 24
  • This was a nice release, although it seems a bit quiet ever after. Maybe we will get the next official release from the original authors before the end of the Unix time a.k.a. the [year 2038 problem](https://en.wikipedia.org/wiki/Year_2038_problem). – Esa Jokinen Jul 08 '23 at 14:49