Package: ssmtp Version: 2.64-8+b2 Followup-For: Bug #662960 Dear Maintainer,
I'm changing the severity of this bug to 'serious'. I apologize if this is presumptuous, but it seems to me that software that advertises TLS functionality but neglects to check the supplied certificates is seriously flawed. At the very least, the documentation should contain a Big Fat Warning that the TLS functionality is limited to encryption and does not include authentication of the server. -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.95-lila (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ssmtp depends on: ii debconf [debconf-2.0] 1.5.61 ii libc6 2.24-11+deb9u3 ii libgnutls-openssl27 3.5.8-5+deb9u3 ssmtp recommends no packages. ssmtp suggests no packages. -- Configuration Files: /etc/logcheck/ignore.d.server/ssmtp [Errno 13] Permission denied: '/etc/logcheck/ignore.d.server/ssmtp' /etc/ssmtp/revaliases changed [not included] -- debconf information: ssmtp/overwriteconfig: true ssmtp/port: 25 ssmtp/root: postmaster ssmtp/mailname: ssmtp/mailhub: mail ssmtp/fromoverride: false ssmtp/hostname: ssmtp/rewritedomain:
