- Allowed use of the smtpd(8) session username in built-in filters when available.
- Introduced a bypass keyword to smtpd(8) so that built-in filters can bypass processing when a condition is met.
- Allowed use of 'auth' as an origin in smtpd.conf(5).
- Allowed use of mail-from and rctp-to as for and from parameters in smtpd.conf(5).
- Ensured legacy ssl(8) session ID is persistent during a client TLS session, fixing an issue using TLSv1.3 with smtp.mail.yahoo.com.
- Fixed security vulnerabilities in smtpd(8). Corrected an out-of-bounds read in smtpd allowing an attacker to inject arbitrary commands into the envelope file to be executed as root, and ensured privilege revocation in smtpctl(8) to prevent arbitrary commands from being run with the _smtpq group.
- Allowed mail.local(8) to be run as non-root, opening a pipe to lockspool(1) for file locking.
- Fixed a security vulnerability in smtpd(8) which could lead to a privilege escalation on mbox deliveries and unprivileged code execution on lmtp deliveries.
- Added support for CIDR in a: spf atoms in smtpd(8).
- Fixed a possible crash in smtpd(8) when combining "from rdns" with nested virtual aliases under a particular configuration.
- Introduced smtp-out event reporting.
- Improved filtering protocol.