Home / server / Questions / 876336
Accepted
JooMing
Asked: 2017-10-02 00:09:24 +0800 CST

Is it safe to use procmail in 2017?

  • 772

I just discovered that procmail website (http://www.procmail.org/) is down. I did some research about its status and it appears that the development of procmail has been dead since 2001. Even the old procmail maintainer recommends to remove it from openbsd ports because the code is in not safe (https://marc.info/?l=openbsd-ports&m=141634350915839&w=2). This is a bit scary, because unfixed bugs could lead to a remote code execution exploits. Recent Linux distributions (e.g. Ubuntu, Debian) still provide it, but is it still safe to use procmail?

email

1 Answers

  1. Best Answer

    You are correct that Procmail hasn't been maintained for a while, and its last maintainers suggest using alternative tools like Maildrop or Sieve.

    The reasons many distributions haven't seen this as a real security risk include:

    • Distributions may publish their own security patches regardless of the actual developers of the original software. They do.
    • The mail it's processing has already passed a whole MTA including several syntax and content checks and spam filtering. It's not likely there would be anything that could trigger a vulnerability in the headers Procmail MDA compares in order to decide where to put the message.
    • The tasks Procmail usually perform are fairly simple.

    So, yes and no. If you have any concerns in your environment, you do have alternatives.

    • 32