Updated RELEASE_NOTES.

RELEASE_NOTES.md

@@ -8,6 +8,8 @@ Fixed a bug that caused some notifications to be lost when coming from a user in
 
 Added an additional check for blocked instances.
 
+On OpenBSD, if the `disable_email_notifications` server flag is set to `true`, `unveil()` is not called for the execution of the `/usr/sbin/sendmail` binary and `pledge()` doesn't set the `exec` promise.
+
 ## 2.50
 
 Incoming posts can now be filtered out by content using regular expressions on a server level (these regexes are written in the `filter_reject.txt` file at the server base directory; see `snac(5)` and `snac(8)`).

data.c

@@ -117,18 +117,27 @@ int srv_open(char *basedir, int auto_upgrade)
         srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
     }
     else {
+        int smail = xs_type(xs_dict_get(srv_config, "disable_email_notifications")) != XSTYPE_TRUE;
+
         srv_debug(1, xs_fmt("Calling unveil()"));
         unveil(basedir,                "rwc");
         unveil("/tmp",                 "rwc");
-        unveil("/usr/sbin/sendmail",   "x");
         unveil("/etc/resolv.conf",     "r");
         unveil("/etc/hosts",           "r");
         unveil("/etc/ssl/openssl.cnf", "r");
         unveil("/etc/ssl/cert.pem",    "r");
         unveil("/usr/share/zoneinfo",  "r");
+
+        if (smail)
+            unveil("/usr/sbin/sendmail",   "x");
+
         unveil(NULL,                   NULL);
         srv_debug(1, xs_fmt("Calling pledge()"));
-        pledge("stdio rpath wpath cpath flock inet proc exec dns fattr", NULL);
+
+        if (smail)
+            pledge("stdio rpath wpath cpath flock inet proc exec dns fattr", NULL);
+        else
+            pledge("stdio rpath wpath cpath flock inet proc dns fattr", NULL);
     }
 #endif /* __OpenBSD__ */