On 2016-11-25 Kevin McGregor wrote:
Officially, the last stable procmail release ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/ was version 3.22, made in September of 2001. As one might expect, there
To me this smacks of "it's old, not new and shiny, so let's abandon it". I'm always of the school of thought that old = tried&true = well known = better (contrast systemd).
FWIW I've used procmail exclusively on all boxes (quite a few) since 1992. Never had a problem. It has rarely had any sec hole announcements.
The fact that it was perfected in 2001 is, to me, a sign of quality, not the opposite. It has to do one small thing and do it well. That it does! (contrast systemd, again) The fact I never have to think about or worry about procmail, even across OS versions and upgrades, is a huge plus in my book.
From https://marc.info/?l=openbsd-ports&m=141634350915839&w=2
Executive summary: delete the procmail port; the code is not safe and should not be used as a basis for any further work.
That would mean something if it wasn't from the "openbsd-ports" people! They have a different idea of "not safe" than nearly everyone else on the planet. Their "not safe" doesn't mean "hackable", it means "we didn't write it".
Procmail is widely used, for nearly forever, and has had a lot of hours being hammered in production and lots of eyes looking at the code. I'm sure those so inclined have already tried to find holes in it. Like I said above, I think I can recall one security patch for it in the last 15 years? That's impressive. Compare to, say, phpMyAdmin, ugh.
People never keep in mind: new & shiny = bugs/holes have yet to be found; NOT new & shiny = secure!
wondering: If I'm going to go to the trouble to locate and install something (i.e. no default is available) should I go with procmail or
I would say if you and your users already know procmail (i.e. the recipe syntax) then stay with it. If you're greenfield, then go with whatever looks promising to you. Not sure what else fits the bill because I'm completely satisfied with procmail!
(P.S. I would add that I wouldn't mind seeing someone compile in pcre into procmail, but that would just be gravy.)