A resource for the OpenBSD community

Random relinking at boot comes to `httpd(8)` and `smtpd(8)`

Contributed by Peter N. M. Hansteen on 2026-06-04 from the the joy of relinking dept.

Random order relinking of critical components is an OpenBSD feature specifically designed to make it harder to exploit bugs in the resulting binary. sshd(8) was the first of the network-facing daemons to get the random treatment (see this previous report).

Now in a series of commits that split one daemon (smptd(8)) into six separate binaries, Theo de Raadt (deraadt@) is bringing httpd(8) and smptd(8), both common in network facing configrations, into the random relink at boot fold.

httpd(8) was the first of the two:

`llvm`/`clang(1)`/`lld(1)` updated to version 22.1.6

Contributed by rueda on 2026-05-31 from the catch 22 dept.

LibreSSL 4.3.2 released

Contributed by grey on 2026-05-26 from the now with fewer NULL dereferences and more bug fixes dept.

The LibreSSL project has announced the release of version 4.3.2 of the software.

The release notes are as follows:

Game of Trees 0.126 released

Contributed by grey on 2026-05-21 from the sha256 support finally heeding John Gilmore's warning dept.

Version 0.126 of Game of Trees has been released (and the port updated). Complete release notes are as follows:

OpenBSD 7.9 Released

Contributed by rueda on 2026-05-01 from the seven-nine the sixtieth dept.

The OpenBSD project has announced OpenBSD 7.9, its 60^th release.

The new release contains a number of significant improvements, including but certainly not limited to:

MAXCPU value on OpenBSD/amd64 increased to 255 [See earlier report]
Preparations for supporting 52 disk partitions [See earlier report]
Introduced selective blocking of cores from the scheduler with sysctl hw.blockcpu [See earlier report]
Delayed hibernation support on OpenBSD/amd64 laptops [See earlier report]
On amd64, implemented delayed hiberation [See earlier report]
Parallel fault handling enabled on amd64 and arm64 platforms
drm(4) code updated to linux 6.18.16 [See earlier report]
Added sysctl(8) machdep.vmmode to indicate status as a host or guest [See commit]
Added vmboot (on amd64), a tiny kernel for booting SEV VMs, which allows sysupgrade(8) to work [See commit]
Made OpenBSD run as a guest under Apple Hypervisor [See earlier report]
Converted vmd(8)'s virtio scsi device to a subprocess [See earlier report]
Added nhi(4), a driver for USB4 controllers, which allows modern laptops with AMD CPUs to reach the appropriate low power idle states during S0ix suspend. [See commit]
Added basic implementation of the low-level FUSE API
Improved sysugprade(8) handling of low disk space in /usr [See earlier report]
fw_update(8) now checks dmesg(8) output in addition to dmesg.boot [See earlier report]
On amd64, added support for loading kernels from the EFI system partition [See commit]
The pledge(2) "tmppath" promise has been retired [See earlier reports]
Enabled IPv6 autoconf [SLAAC] by default in installer [See commit]
Private VLAN (PVLAN) support added to veb(4) [See commit]
LACP support removed from trunk(4) [See earlier report]
Multiple pf(4) enhancements:
- Source and state limiters introduced [See earlier report]
- Print both nat-to and rdr-to in pfctl -s rules
Added httpd.conf(5) "no banner" configuration directive to suppress generation of "Server" header [See commit]
In relayd(8), added support for PROXY protocol in TCP relays
In acme-client(1), added support for IP Address certificates
OpenBGPD 9.1 [See earlier reports on releases of versions 9.0 & 9.1]
rpki-client 9.8 [See earlier reports on releases of versions 9.7 & 9.8]
LibreSSL 4.3.1 [See earlier report]
OpenSSH 10.3 [See earlier report]
- Several security enhancements were added
- Added ssh(1) escape ~I showing information about the current SSH connection [See commit]
chromium (and derivatives) gained VA-API support [See earlier report]
chromium (and derivatives) gained (Open) Widevine support support [See earlier report]

See the full changelog for more details of the changes made over this latest six month development cycle.

The Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8).

Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!

Migrating mail servers from `exim` to OpenSMTPD (`smtpd`) is fun and useful

Contributed by Peter N. M. Hansteen on 2026-05-15 from the delivery upgrade accepted dept.

Like (we suspect) quite a few of our readers, undeadly.org co-editor Peter Hansteen runs a mail service and settled on exim as the reasonable alternative to the classic sendmail way back when.

However, that software has had its share of security issues over the years, and during the preparations for the OpenBSD 7.9 release, the ports maintainers decided that

"History of security issues + setuid root is a terrible combo."

and it was time to remove exim from the packages collection.

This meant that the mail service needed to migrate to something else, and Peter wrote up a short article about migrating a multi-domain, multi-site setup to smtpd: OpenSMTPD Is The Mail Server For The Future. The article has a working configuration and advice on how to proceed.

Automatic expiry at timeout for `pf(4)` overload tables

Contributed by Peter N. M. Hansteen on 2026-05-12 from the overlords of overloads dept.

Network-oriented readers will be familiar with the concept of overload tables, commonly used with state tracking options to create adaptive rulesets for such things as punishing password-guessing botnets.

A downside to tables that would tend to fill up indefinitely is that at some point they will be quite full, and the administrator would need to either manually run pfctl expire or set up a crontab entry to weed out old entries at intervals.

Now Alexandr Nedvedicky (sashan@) is airing a patch on tech@ that would add a timeout option to to tables declarations, doing away with the need to set up crontab entries to run pfctl expire.

The patch and the explanation can be found in the thread pf(4) add timeout option to ip address tables, with followup discussion where several developers and users pitch in.

The message reads,

List:       openbsd-tech
Subject:    pf(4) add timeout option to ip address tables
From:       Alexandr Nedvedicky <sashan () fastmail ! net>
Date:       2026-05-11 1:05:27

Hello,

diff below should help people who use 'overload' action in their
firewall configuration. This is how pf.conf(5) describes the
overload option:

Let's find out how to get predictable IPv6 addresses assigned to OpenBSD VMs

Contributed by rueda on 2026-05-12 from the I-predict-I-will-get-fe80-ip dept.

Florian Obser (florian@) recently gave a BSD-NL talk entitled "Let's find out how to get predictable IPv6 addresses assigned to OpenBSD VMs".

Florian takes us on a guided tour of how inet6 autoconf actually works, with enlightening and entertaining peeks into selected piece of OpenBSD source.

At the end, we are asked to "now, draw the rest of the owl".

Slides are available in the usual place, and video is also available.

Game of Trees 0.125 released

Contributed by rueda on 2026-05-12 from the again-and-again-and dept.

Version 0.125 of Game of Trees has been released (and the port updated). Note the security fixes:

security fix: reject versioned files inside .git, .got, or .cvg directories

security fix: crafted tree entry names could cause writes outside work tree

fix redundant pack file cleanup when repository contains symlinks

prevent NULL pointer dereferences when empty tree objects are encountered