Hi,

A bit of a late reply, because I didn't notice this thread earlier.

It looks like there was an Exim port in OpenBSD for the past ~30 years 
(I found a commit in 1997 and 1999 next); since it's maybe "the most 
popular (open source) MTA" (likely because Debian shipped it by default) 
I assume it's in use by a (at least) few users: myself included.

I'm not normally watching the ports mailinglist I must admit. I 
inspected the ports in the past, and actually found that exim was quite 
well maintained (fixes came in faster compared to other distributions), 
and thus relied on it. Now I looked again for the upgrade to 4.99.2, and 
noticed the port was gone (!) and this conversation.

With this thread I realize there was a conversation years ago. For me as 
a user it comes completely without warning that the port disappears just 
hours after this mail, and there was no warning at install/upgrade time 
of the port or anything. I'm a bit afraid the decision is made even just 
before a new release, and with that we don't even have time to discuss 
about it: be it good or bad. (After a release would make a bit more 
sense to me.)

I understand we all (fortunately) care about security, and that Exim 
could do better in comparison with alternatives, and that it is setuid 
root. So far I think they did always publish patches anyway, and do 
better than some other software. I myself didn't expect OpenBSD ports to 
be a security seal either: I think the base system is ;-) but migrating 
to other MTAs isn't just always an option. It's not I want insecure 
software; it's not necessarily inbound listening either; there's a lot 
of arguments one can think of.

I'm not sure if there's an option to reconsider, but I would love to 
keep exim available in OpenBSD ports,

Regards,
Paul


On 15/04/2026 12:26, Stuart Henderson wrote:
> Since we're coming up to release (where we have to maintain it for
> another 6 months), I thought I'd revisit this. History of security
> issues + setuid root is a terrible combo.
> 
> Are there any strong reasons to keep exim in ports?
> 
> If not, ok to remove?
> 
> 
> ----- Forwarded message from Stuart Henderson <stu@spacehopper.org> -----
> 
> From: Stuart Henderson <stu@spacehopper.org>
> Date: Mon, 19 Aug 2024 15:13:40 +0100
> Subject: Re: exim SIGSEGV on TLS connections on latest amd64 snapshot
> 
> On 2024/08/19 15:26, Theo Buehler wrote:
> <snip>
>> While it is impossible to be sure where exactly the bug lies, it sure
>> looks as if exim had another pretty bad bug in a release. The diff
>> doesn't show much information since it's mostly pointless churn.
>>
>> I think it is about time to seriously consider removing exim from the
>> ports tree for good.
> 
> That would be OK with me. Of course people can still fetch from the
> Attic and build themselves if they really need it, but the extra
> steps needed for that (+ OS updates) will increase the motivation
> to port the config across to another MTA.
> <snip>
> 
> 
> ----- End forwarded message -----
> 
> 
> ---------------------
> PatchSet 215
> Date: 2025/12/18 21:39:26
> Author: tb
> Branch: HEAD
> Tag: (none)
> Log:
> Security update to exim 4.99.1 from maintainer
> 
> 1. Incomplete SQL injection fix - CVE-2025-26794's patch doesn't escape single quotes
> 2. Heap buffer overflow - Unvalidated database field used as array bound (NEW)
> https://code.exim.org/exim/exim/src/commit/d46a6727798fc48d1756190a6d46d19216348c25/doc/doc-txt/exim-security-2025-12-09.1/report.txt
> 
> Is it finally time to take this behind the barn?
> 
> Members:
> 	Makefile:1.156->1.157
> 	distinfo:1.52->1.53
> 
> ---------------------