Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16

[An on-line version of this announcement will be available at]

Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available. These releases contain a fix for CVE-2011-0411 which allows plaintext command injection with SMTP sessions over TLS. This defect was introduced with Postfix version 2.2.

Note: CVE-2011-0411 is an issue only for the minority of SMTP clients that actually verify server certificates. Without server certificate verification, clients are always vulnerable to man-in-the-middle attacks that allow attackers to inject plaintext commands or responses into SMTP sessions, and more.

For more details see:

Postfix 2.8 and 2.9 are not affected.

The following problems were fixed with the Postfix legacy releases:

Historical note:

Wietse Venema discovered the problem two weeks before the Postfix 2.8 release, and silently fixed it pending further investigation. While investigating the problem's scope and impact, Victor Duchovni found that many other TLS applications were also affected. At that point, CERT/CC was asked to coordinate with the problem's resolution.

You can find the updated Postfix source code at the mirrors listed at