Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.2.html]

Fixed in Postfix 3.11:

• Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon dereferenced an uninitialized pointer after a request protocol error. This daemon is not exposed to local or remote users. Found by Claude Opus 4.6.

• Bugfix (defect introduced: 20260309) a change, to set the service_name default value to "amnesiac", violated a test that parameter names in postconf output must match 1:1 with parameter names in the postlink script.

Fixed in Postfix 3.10:

• Bugfix (defect introduced: Postfix 3.10): The RFC 2047 encoder for the sender "full name" could loop when a very long full_name_encoding_charset value was configured in main.cf. Found by Claude Opus 4.6.

Fixed in Postfix 3.8, 3.9, 3.10:

• Bugfix (defect introduced: Postfix 2.3, date: 20050323): buffer over-read when Postfix an enhanced status code is not followed by other text. For example, "5.7.2" without text after the three-number code. This CANNOT be triggered with an SMTP or LMTP server response; is confirmed with an access(5) table and likely with a policy server response; can possibly be triggered with pipe-to-command output, header_checks(5), body_checks(5), an error(8) transport in transport_maps, or a milter response; and is confirmed with a DNSBL server TXT response while Postfix is configured with "$rbl_code $rbl_text" in rbl_reply_maps or default_rbl_reply. This could result in process termination. Problem reported by Kamil Frankowicz.

  For older Postfix versions, a buffer over-read patch is included at the end of this text.

• Code cleanup: log a fatal error instead of dereferencing a null pointer after a first/next cursor initialization failure. Fedor Vorobev. This affected the Berkeley DB client.

Fixed in Postfix 3.8, 3.9, 3.10. 3.11:

• Portability: support for recent FreeBSD, NetBSD, and OpenBSD versions. Brad Smith.

• Bugfix (defect introduced: Postfix 2.2, date 20041207): When truncating a database file, the cdb: database client looked at the file size from before requesting an exclusive lock on a database file, instead of the file size after the exclusive lock was granted. Found by Claude Opus 4.6.

• Bugfix (defect introduced: Postfix alpha, date 19980309): file descriptor leak after fork() failure. Found by Claude Opus 4.6.

• Mistakes in debug logging. Found by Claude Opus 4.6. This affected two files in Postfix 3.8 and 3.9, three files in Postfix 3.10 and 3.11.

• Unchecked null pointer results after an out-of-memory condition in a library dependency. Found by Claude Opus 4.6. The fix is to return an error status or to log a fatal error. This affected three source files.

• Missing or incomplete guards for ssize_t or int overflow, found by Claude Opus 4.6. This affected three source files. These limits are unlikely to be exceeded because the size of in-memory objects is limited by design (the number of in-memory objects is also limited).

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Buffer over-read patch for Postfix 2.3 .. 3.7:

--- /var/tmp/postfix-3.8.15/src/global/dsn_util.c	2006-01-07 20:28:37.000000000 -0500
+++ src/global/dsn_util.c	2026-05-01 16:59:50.961688175 -0400
@@ -155,5 +155,5 @@
 	strncpy(dp->dsn.data, cp, len);
 	dp->dsn.data[len] = 0;
-	cp += len + 1;
+	cp += len;
     } else if ((len = dsn_valid(def_dsn)) > 0) {
 	strncpy(dp->dsn.data, def_dsn, len);