[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.5.html]
This release addresses medium-impact problems that need to be fixed as some enable remote DOS, or local memory corruption.
The fixes below, and more, are also released in the unstable version postfix-3.12-20260706.
In addition to updated releases for the supported Postfix versions 3.8-3.11, releases will also be available for the out-of-support Postfix versions 3.5-3.7. NOTE: these do not include the patches for out-of-support Postfix versions that have been issued for "large SMTP inputs (June 2026)", "TLSA parsing (June 2026)", and "SMTP smuggling fixes". Those patches still need to be applied.
These defects were found by Qualys assisted by Claude Mythos Preview; more than half date from 20 or more years ago. When I implemented Postfix, I knew that there were going to be mistakes. That is the reason why Postfix has its architecture and safety nets. The number of defects may seem large, but consdering that they were found in a code base of some 150 thousand lines, the error rate is still lower than what I designed for.
Denial of service:
Bug (defect introduced: Postfix 2.7, date: 20090617): out-of-memory condition with remote input in the postscreen dummy SMTP engine. This dummy engine is used after PREGREET or DNSBL checks fail, or when "after 220" protocol checks are enabled. Reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix 2.0, date: 20030619): file system DOS: with smtpd_proxy_filter enabled, the before-filter SMTP server did not enforce the message size limit for mailbox From_ lines at the beginning of a message. With smtpd_proxy_filter disabled, the file size limit was still enforced by the cleanup daemon. Reported by Qualys, assisted by Claude Mythos Preview.
Memory corruption:
Bug (defect introduced: Postfix 2.3, date: 20060611): double ldap_msgfree(resloop) call during error handling when special_result_attribute is configured. An attacker who controls the LDAP server or can play attacker-in-the-middle could corrupt heap memory. Reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix 3.4, date: 20190121): missing null termination in a postlogd process that was started with an EMPTY maillog_file setting, while receiving a message from a postlog command that was started with a NON-EMPTY maillog_file setting. Under these contradicting conditions, an unprivileged attacker could cause postlogd to write null bytes to stack memory as it tokenized text outside the receive buffer, and possibly gain 'postfix' privilege. Problem reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix 2.3, date: 20060711): one-byte heap over-write in the Milter client with soft_bounce=yes while processing a malformed SMFIR_REPLYCODE Milter response. An attacker who controls the Milter or who can play attacker-in-the-middle could corrupt heap memory. Reported by Qualys, assisted by Claude Mythos Preview.
Other crashes and panic()s:
Bug (defect introduced: Postfix 2.1, date: 20030619): SMTP server panic() in smtpd_proxy_filter when handling long mailbox From_ lines at the beginning of a message. Reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix 3.1, date: 20151129): a missing return statement in the SHOWQ_CLEANUP_AND_RETURN() macro. A local user could submit a crafted message that triggered a read-after-free and panic() in the unprivileged showq daemon (which scans the mail queue for the 'postqueue -p' and 'mailq' commands). This could happen only before a message had been picked up by the pickup(8) daemon. Problem reported by Qualys, assisted by Claude Mythos Preview.
Bug: (defect introduced: Postfix 3.10, date: 20240925): NULL pointer read in the TLSRPT client, caused by missing STR_OR_NULL() wrappers. Reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix < alpha, date: 1997): missing recursion guard while processing :include: files that directly include other :include: files in local(8) aliases or .forward files. This could result in exhausting stack space (segfault) or file handles (fatal error). This is not a global DOS; it affected at most two parallel delivery processes for the local recipient who created the condition. Reported by Qualys, assisted by Claude Mythos Preview.
Other read after free:
Bug (defect introduced: postfix-3.11.0-RC1, date: 20251222): heap memory over-read in the cleanup daemon as it handled a milter "shutdown" reply. The over-read memory was logged after masking unprintable content. Problem reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix 2.3, date: 20050526): limited (<= 11 byte) heap over-read in the cleanup daemon. This could be triggered by local user with a crafted queue file, but the over-read content was not disclosed and there was no other impact. Problem reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix < alpha, date: 19971221): a signal handler in the postdrop command could call unlink() with a pathname that was already wiped and free()d, but not yet reused. Reported by Qualys, assisted by Claude Mythos Preview.
Other code hygiene:
Bug (defect introduced: Postfix 3.11, date: 20260219): In the non-BerkeleyDB re-indexing server, vstream_fopen_as() ignored the uid and gid arguments and opened a database source file read-only as the 'postfix' user instead of the file owner. Reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix 2.2. date: 20040829): after a RAND_bytes() call failure, do not rely on stack-based pseudo-randomness for tlsmgr seed generation, and for timing jitter of tlsmgr seed refresh intervals. Reported by Qualys, assisted by Claude Mythos Preview.
Bug (defect introduced: Postfix 2.3, date: 20060711): In the Milter client, null-terminate the SMFIR_REPLYCODE response data to exclude stale data when processing the result as a C string. Reported by Qualys, assisted by Claude Mythos Preview.
Proactive changes:
Hardening: make sure that optimizers will not delete a memset() call in myfree() that wipes memory.
Allow zero-length memory allocation requests. Many people have experience with systems that allow this, therefore it should not trigger a panic in Postfix.
Safety: added a global recursion guard in the local delivery agent.
You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.