28

I just discovered that procmail website (http://www.procmail.org/) is down. I did some research about its status and it appears that the development of procmail has been dead since 2001. Even the old procmail maintainer recommends to remove it from openbsd ports because the code is in not safe (https://marc.info/?l=openbsd-ports&m=141634350915839&w=2). This is a bit scary, because unfixed bugs could lead to a remote code execution exploits. Recent Linux distributions (e.g. Ubuntu, Debian) still provide it, but is it still safe to use procmail?

JooMing
  • 805
  • 7
  • 11

1 Answers1

32

You are correct that Procmail hasn't been maintained for a while, and its last maintainers suggest using alternative tools like Maildrop or Sieve.

The reasons many distributions haven't seen this as a real security risk include:

  • Distributions may publish their own security patches regardless of the actual developers of the original software. They do.
  • The mail it's processing has already passed a whole MTA including several syntax and content checks and spam filtering. It's not likely there would be anything that could trigger a vulnerability in the headers Procmail MDA compares in order to decide where to put the message.
  • The tasks Procmail usually perform are fairly simple.

So, yes and no. If you have any concerns in your environment, you do have alternatives.

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • 7
    Thanks, this was helpful! I checked a Debian changelog of the procmail package and there are indeed quite a few security patches after 2001. Some of them a pretty scary. For example, overflows with malformed headers. So depending on the distribution, it still appears to be supported. – JooMing Oct 01 '17 at 10:08
  • I just adjusted the order of the reasons as this is the major reason actually. – Esa Jokinen Oct 01 '17 at 13:37