diff options
authorSergey Poznyakoff <>2019-11-06 12:56:37 +0200
committerSergey Poznyakoff <>2019-11-06 13:02:47 +0200
commitb0499893540eddecd5d09193d5ea88b3001869bd (patch)
parent6e35ba4275cd113dbbb8242e672bafb9dea02091 (diff)
Version 3.8release-3.8
* Version 3.8 * NEWS: Document changes. * THANKS: Update.
3 files changed, 50 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index f23851e62..cc64669fe 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,56 @@
-GNU mailutils NEWS -- history of user-visible changes. 2019-09-11
+GNU mailutils NEWS -- history of user-visible changes. 2019-11-06
Copyright (C) 2002-2019 Free Software Foundation, Inc.
See the end of file for copying conditions.
Please send mailutils bug reports to <>.
-Version 3.7.90 (git)
+Version 3.8 - 2019-11-06
+* The maidag utility is withdrawn
+The main purpose of this utility was to work as local mail delivery
+agent (MDA), a program responsible for final delivery of email messages
+to the recipient's mailbox. As such it required suid privileges.
+In parallel with its main purpose, it also was able to work in two
+other modes: the 'url' mode, designed to deliver mails to arbitrary
+mailbox URLs, and 'lmtp' mode, in which it acted as local mail
+transport daemon. Neither of these needed suid privileges.
+The unfortunate design decision to combine the three modes in a single
+versatile tool resulted in local privilege escalation threat in 'url'
+To fix this, maidag has been replaced by three different utilities,
+each one with a precisely defined purpose and carefully designed
+privileges: mda, lmtpd, and putmail.
+* mda
+GNU Mail Delivery Agent, the program used by mail transport agent for
+local mail delivery. MTA starts it with non-root privileges, so it
+needs the setuid bit in order to be able to assume the recipient's
+identity when delivering mail. User input is limited to the actual
+message, which is read from the standard input. The usual flexible
+mailutils configuration subsystem is disabled in this utility, all
+settings being read from the main configuration file only. This file
+is writable only for root. Configuration settings cannot be altered
+from the command line.
+The command line usage is mostly compatible with the maidag, which
+facilitates transition to mda.
+* lmtpd
+GNU Local Mail Transfer Protocol daemon. Normally it is started by
+root and remains in the background serving LMTP connections from the
+* putmail
+A user tool for delivering messages to the specified mailbox URL.
+Runs with user privileges. This provides the functionality of 'maidag
+--url', without any security implications.
* Use of TLS in pop3d run from inetd
diff --git a/THANKS b/THANKS
index 1a6884e79..ec71ffd1e 100644
--- a/THANKS
+++ b/THANKS
@@ -23,6 +23,7 @@ Kostas Zorbadelos <>
Kurt Hackenberg <>
Matthew Whitworth <>
maks <>
+Mike Gualtieri <>
Neil R. Ormos <>
Olivier Bornet <>
Pierre-Jean <>
diff --git a/ b/
index 5c7717289..61a490148 100644
--- a/
+++ b/
@@ -16,7 +16,7 @@ dnl You should have received a copy of the GNU General Public License along
dnl with GNU Mailutils. If not, see <>.
-AC_INIT([GNU Mailutils], [3.7.90], [], [mailutils],
+AC_INIT([GNU Mailutils], [3.8], [], [mailutils],

Return to:

Send suggestions and report system problems to the System administrator.