Procmail considered harmful

just came across this article on Debian Planet :
https://anarc.at/blog/2022-03-02-procmail-considered-harmful/

seems serious, never realized procmail was abandoned for 2 decades(!)…
makes me wonder what webmin devs think of this (?) any chance of switching to alternatives in the future?

1 Like

Yeah, we plan to replace it in Virtualmin 8 with Dovecot’s Sieve implementation, though we recently updated our procmail-wrapper to resolve some of the concerns with procmail starting with root privileges. It hasn’t really been completely unmaintained for 20 years (though it’s only loosely maintained). The version you get in modern distros is not the same one that was last released 20 years ago, it has some patches. But, yes, it is old, it is cranky, and it is possible to use it in ways that are dangerous (I think what we’re shipping is safe, however).

Replacing it is a huge project, unfortunately. And, it will be disruptive for anyone that uses any more complicated mail handling features (Virtualmin uses it pretty heavily in mail processing, in that it makes decisions about spam/AV and forwarding/autoresponders, etc. as well as delivery).

I’m sure if you search the forums you’ll find conversations where I’ve talked about procmail.

2 Likes

Please for vm 6.x en 7 keep track on this :wink:
( github)

" Developing story

I must also add that, incredibly, this story has changed while writing it. This article is derived from this bug I filed in Debian to, quite frankly, kick procmail out of Debian. But filing the bug had the interesting effect of pushing the upstream into action: as mentioned above, they have apparently made a new release and merged a bunch of patches in a new git repository."

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.