A resource for the OpenBSD community

Like (we suspect) quite a few of our readers, undeadly.org co-editor Peter Hansteen runs a mail service and settled on exim as the reasonable alternative to the classic sendmail way back when.

However, that software has had its share of security issues over the years, and during the preparations for the OpenBSD 7.9 release, the ports maintainers decided that

"History of security issues + setuid root is a terrible combo."

and it was time to remove exim from the packages collection.

This meant that the mail service needed to migrate to something else, and Peter wrote up a short article about migrating a multi-domain, multi-site setup to smtpd: OpenSMTPD Is The Mail Server For The Future. The article has a working configuration and advice on how to proceed.

Network-oriented readers will be familiar with the concept of overload tables, commonly used with state tracking options to create adaptive rulesets for such things as punishing password-guessing botnets.

A downside to tables that would tend to fill up indefinitely is that at some point they will be quite full, and the administrator would need to either manually run pfctl expire or set up a crontab entry to weed out old entries at intervals.

Now Alexandr Nedvedicky (sashan@) is airing a patch on tech@ that would add a timeout option to to tables declarations, doing away with the need to set up crontab entries to run pfctl expire.

The patch and the explanation can be found in the thread pf(4) add timeout option to ip address tables, with followup discussion where several developers and users pitch in.

The message reads,

List:       openbsd-tech
Subject:    pf(4) add timeout option to ip address tables
From:       Alexandr Nedvedicky <sashan () fastmail ! net>
Date:       2026-05-11 1:05:27

Hello,

diff below should help people who use 'overload' action in their
firewall configuration. This is how pf.conf(5) describes the
overload option:

Florian Obser (florian@) recently gave a BSD-NL talk entitled "Let's find out how to get predictable IPv6 addresses assigned to OpenBSD VMs".

Florian takes us on a guided tour of how inet6 autoconf actually works, with enlightening and entertaining peeks into selected piece of OpenBSD source.

At the end, we are asked to "now, draw the rest of the owl".

Slides are available in the usual place, and video is also available.

Version 0.125 of Game of Trees has been released (and the port updated). Note the security fixes:

• security fix: reject versioned files inside .git, .got, or .cvg directories
• security fix: crafted tree entry names could cause writes outside work tree
• fix redundant pack file cleanup when repository contains symlinks
• prevent NULL pointer dereferences when empty tree objects are encountered

The LibreSSL project has announced the release of version 4.3.1 of the software:

We have released LibreSSL 4.3.1, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon.

This is a development release for the 4.3.x branch, so we appreciate
early testing and feedback. There will be no further API and ABI changes
on the 4.3 branch.

It includes a build fix from 4.3.0 and the following changes:

Jonathan Gray (jsg@) updated the version of OpenBSD -current from "7.9" to "7.9-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

Routing security matters to all of us (even those of us who seldom give the subject any thought), and the rpki-client project announced the release of a new version of their Resource Public Key Infrastructure (RPKI) client, with a number of improvements.

The announcement reads,

List:       openbsd-announce
Subject:    rpki-client 9.8 released
From:       Sebastian Benoit <benno () openbsd ! org>
Date:       2026-04-14 23:20:42


rpki-client 9.8 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

We're a little late reporting it but…

The familiar safeguard sysctl hw.smt is now deprecated, having been replaced by a more flexible mechanism which allows discriminating between different varieties of core type.

First, Theo de Raadt (deraadt@) enabled the mechanism for OpenBSD/amd64 in this commit:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2026/03/31 10:46:22

Modified files:
	sys/sys        : sched.h sysctl.h 
	sys/kern       : kern_sched.c kern_sysctl.c 
	sys/arch/amd64/amd64: identcpu.c machdep.c 
	sys/arch/amd64/include: cpu.h 
	lib/libc/sys   : sysctl.2 

Log message:
Some new intel machines have a new 3rd tier of cpus called LP-E which are
E-core (Atom) without L3 cache.  These v are Lethargic, and it sucks
when processes migrate to them.