Is it safe to use procmail in 2017?

email procmail

I just discovered that procmail website (http://www.procmail.org/) is down. I did some research about its status and it appears that the development of procmail has been dead since 2001. Even the old procmail maintainer recommends to remove it from openbsd ports because the code is in not safe (https://marc.info/?l=openbsd-ports&m=141634350915839&w=2). This is a bit scary, because unfixed bugs could lead to a remote code execution exploits. Recent Linux distributions (e.g. Ubuntu, Debian) still provide it, but is it still safe to use procmail?


You are correct that Procmail hasn't been maintained for a while, and its last maintainers suggest using alternative tools like Maildrop or Sieve.

The reasons many distributions haven't seen this as a real security risk include:

  • Distributions may publish their own security patches regardless of the actual developers of the original software. They do.
  • The mail it's processing has already passed a whole MTA including several syntax and content checks and spam filtering. It's not likely there would be anything that could trigger a vulnerability in the headers Procmail MDA compares in order to decide where to put the message.
  • The tasks Procmail usually perform are fairly simple.

So, yes and no. If you have any concerns in your environment, you do have alternatives.

Related

Memory Usage Numbers In top/htop
Can you require MFA for AWS IAM accounts?
HTTP over port 443 vs HTTPS over port 80
Backing up a 22 GB MySQL database daily
Is a hard drive's serial number globally unique?
PowerShell - Install-WindowsFeature (and family) missing on Windows 10?
How to rename a SQL Server 2008 instance?
Best Practice: vCPUs per physical core
Nginx log entries to multiple files
What is Hadoop and what is it used for? [closed]
How to delete all hidden files and directories using Bash?
Why is IPv6 adoption higher at weekends?