Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:postfix
User: [email protected]
Usertags: pu
[ Reason ]
There's a new upstream stable/bugfix release, 3.10.11, which
fixes 5 more low-impact security ussuses.
[ Tests ]
This release is running in production on our sites for quite
some time already, with no issues.
[ Risks ]
As usual, postfix stable releases (and actually all postfix
releases) are of excellent quality, have very low risk of
breakage. The changes are all small and focused too.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
See below for the debdiff, including d/changelog and upstream
HISTORY changes.
[ Other info ]
The debdiff is against the previous trixie-pu version of
postfix, 3.10.10-0+deb13u1.
I'm uploading this release to the archive, to - hopefully -
save a round-trip in this bug report and to save you some
time.
Thanks,
/mjt
diff -Nru postfix-3.10.10/HISTORY postfix-3.10.11/HISTORY
--- postfix-3.10.10/HISTORY 2026-05-15 22:54:47.000000000 +0300
+++ postfix-3.10.11/HISTORY 2026-06-17 20:06:59.000000000 +0300
@@ -29356,3 +29356,173 @@
implementation-defined behavior (shift one bit into the
sign position). This works today but may break later.
Reported by Kamil Frankowicz. File: util/sys_defs.h.
+
+20260524
+
+ Bugfix (defect introduced: Postfix 3.1, date 20150607):
+ null pointer read and heap data overread in the Postfix
+ SMTP client's smtp_dns_reply_filter. Problem reported by
+ TristanInSec, found with ASAN. Also reported by other people.
+ Reproduction and real-world impact researched by Wietse.
+ File: dns/dns_strrecord.c.
+
+ This is a different problem than the one that was introduced
+ later in Postfix 3.6.
+
+ The root cause is a missing 'break' statement after the
+ code that converts a TLSA record to string.
+
+ Reproduction:
+ =============
+
+ The problem happens when smtp_dns_reply_filter is configured
+ (this is disabled by default); the Postfix SMTP client is
+ configured to use opportunistic or mandatory DANE authentication
+ (this is disabled by default); the destination domain
+ publishes a TLSA record that is empty or shorter than 20
+ bytes; and the OS is configured to use a resolver that
+ passes such a TLSA record. For example, a zero-length TLSA
+ record is blocked by BIND, Google DNS, OpenDNS, and by
+ configurations that use systemd-resolved (the default on
+ many LINUX systems); it is passed by Cloudflare, Quad9 DNS,
+ and unbound, as long as these resolvers are used without
+ systemd-resolved.
+
+ Impact statement:
+ =================
+
+ SMTP client termination with a null pointer read crash when
+ the TLSA record length is zero; or an SMTP client data
+ overread (or rarely, SMTP client termination with a read
+ segfault crash) when 0 < record length < 20 bytes. The
+ overread content is not disclosed.
+
+ The impact of SMTP client crashes is easily overstated.
+ That said, crashes must be eliminated regardless of their
+ impact.
+
+ On systems that deliver fewer than one message per minute,
+ an SMTP client crash can result in a delay of up to one
+ minute for email delivery to other destination domains. On
+ systems with a larger traffic volume, the impact of a null
+ pointer or other segfault crash on deliveries to other
+ destination domains is minor because Postfix reuses SMTP
+ client processes and replaces a failed process within seconds
+ (self-healing); the practical impact is believed to be no
+ worse than that of an uncooperative receiver that tarpits
+ SMTP connections from Postfix to one or more destination
+ domains under their control (by replying within Postfix
+ SMTP client read time limits which are several minutes by
+ default).
+
+20260529
+
+ Robustness: the Postfix SMTP server will no longer receive
+ (and discard) an unlimited amount of text while receiving
+ a long SMTP command line. Problem introduced: Postfix 2.9,
+ date: 20110205; reported by Michael Wollner (Ibonok). Under
+ high load conditions, the amount of text was already limited
+ by a 10-second deadline to receive an SMTP command. File:
+ global/smtp_stream.c.
+
+ Robustness: with the above change the Postfix SMTP client
+ will no longer receive (and discard) an unlimited amount
+ of text while receiving a long SMTP response line.
+
+ Robustness: do not receive (and discard) unlimited amounts
+ of data with BDAT commands. Problem introduced: Postfix
+ 3.4, date: 20180825; found during code maintenance. File:
+ smtpd/smtpd.c.
+
+ Impact statement:
+ =================
+
+ Postfix should not receive and discard unlimited amounts
+ of input in SMTP commands, but fixing that will not
+ fundamentally change the situation.
+
+ By design, any SMTP client can force a server to receive
+ (and discard) an unlimited amount of text. For example,
+ an attacker can repeatedly send messages that are a little
+ under the server's message size limit and abort each
+ transaction a before reaching the message end. When sending
+ a message with the "DATA" command, an attacker would
+ disconnect instead of sending <CR><LF>.<CR><LF>; and when
+ sending a message with the "BDAT" command, an attacker would
+ send "RSET" instead of "BDAT LAST".
+
+ To mitigate such abuse, Postfix can rate-limit the number
+ of message transactions from the same IP address or address
+ range (see smtpd_client_message_rate_limit and *prefix_length
+ parameters). Such a defense is ineffective when faced with
+ a distributed attack (botnet); for that, postscreen combined
+ with an IP reputation service (DNSBL) may be more effective.
+
+20260531
+
+ Bugfix: (defect introduced: Postfix 3.6, date: 20200710):
+ panic (assertion failure and voluntary crash) while parsing
+ a TLSA reply with length 3. Found during code maintenance.
+ See below for root cause, reproduction, and impact.
+
+ Root cause:
+ ===========
+
+ An incorrect test 'length < 3' instead of 'length <= 3'
+ causes a safety check to fail when a TLSA parser attempts
+ to create zero-length storage for a non-existent TLSA
+ certificate association data field.
+
+ Reproduction:
+ =============
+
+ The problem happens when the Postfix SMTP client is configured
+ to use opportunistic or mandatory DANE authentication (this
+ is disabled by default); a destination domain publishes a
+ TLSA record with a length of three bytes; and the OS is
+ configured to use a resolver that passes such a TLSA record.
+ For example, a length-three TLSA record is blocked by BIND,
+ and by configurations that use systemd-resolved (the default
+ on many LINUX systems). It is passed by many other resolvers.
+
+ This bug enables an attack that is more potent than the
+ TLSA parsing bug introduced with Postfix 3.1.
+
+ - An attack with a length-three TLSA reply does not depend
+ on smtp_dns_reply_filter configuration.
+
+ - An attack with a length-three TLSA reply propagates through
+ more resolvers than an attack with a length-zero TLSA reply.
+
+ Impact statement:
+ =================
+
+ SMTP client voluntary termination (crash) after an assertion
+ failure. This is a fail-safe mechanism.
+
+ The impact of SMTP client crashes (voluntary or not) is
+ easily overstated. That said, crashes must be eliminated
+ regardless of their impact.
+
+ On systems that deliver fewer than one message per minute,
+ an SMTP client crash can result in a delay of up to one
+ minute for email delivery to other destination domains.
+
+ On systems with a larger traffic volume, the impact of an
+ SMTP client crash on deliveries to other destination domains
+ is minor because Postfix reuses SMTP client processes and
+ replaces a failed process within seconds (self-healing);
+ the practical impact is believed to be no worse than that
+ of an uncooperative receiver that tarpits SMTP connections
+ from Postfix to one or more destination domains under their
+ control (by replying within Postfix SMTP client read time
+ limits which are several minutes by default).
+
+20260608
+
+ Bugfix (defect introduced: Postfix 3.0, date: 20140708):
+ the SMTP client did not xtext_quote a '+' character in a
+ DSN ORCPT parameter value. A strict receiver implementation
+ could reject or discard the parameter value, but this has
+ never been reported to happen. Found during code maintenance.
+ File: smtp_proto.c.
diff -Nru postfix-3.10.10/debian/changelog postfix-3.10.11/debian/changelog
--- postfix-3.10.10/debian/changelog 2026-06-11 09:55:11.000000000 +0300
+++ postfix-3.10.11/debian/changelog 2026-06-18 07:28:13.000000000 +0300
@@ -1,3 +1,20 @@
+postfix (3.10.11-0+deb13u1) trixie; urgency=medium
+
+ * New upstream version 3.10.11, fixing 5 low-impact issues:
+ - Bugfix: null pointer read and heap data overread
+ in the Postfix SMTP client's smtp_dns_reply_filter
+ - Robustness: the Postfix SMTP server will no longer receive (and discard)
+ an unlimited amount of text while receiving a long SMTP command line
+ - Robustness: do not receive (and discard) unlimited amounts of data
+ with BDAT commands
+ - Bugfix: panic (assertion failure and voluntary crash) while parsing
+ a TLSA reply with length 3
+ - Bugfix: the SMTP client did not xtext_quote a '+' character in a
+ DSN ORCPT parameter value. A strict receiver implementation could reject
+ or discard the parameter value (this has never been reported to happen)
+
+ -- Michael Tokarev <[email protected]> Thu, 18 Jun 2026 07:28:13 +0300
+
postfix (3.10.10-0+deb13u1) trixie; urgency=medium
[ Michael Tokarev ]
diff -Nru postfix-3.10.10/html/smtpd.8.html postfix-3.10.11/html/smtpd.8.html
--- postfix-3.10.10/html/smtpd.8.html 2025-10-23 23:05:16.000000000 +0300
+++ postfix-3.10.11/html/smtpd.8.html 2026-06-17 20:13:38.000000000 +0300
@@ -264,7 +264,7 @@
sions for communication with a Milter application; prior to
Postfix 2.6 the default protocol is 2.
- <b><a
href="postconf.5.html#milter_default_action">milter_default_action</a>
(tempfail)</b>
+ <b><a
href="postconf.5.html#milter_default_action">milter_default_action</a> (see
'postconf -d <a
href="postconf.5.html#milter_default_action">milter_default_action</a>'
output)</b>
The default action when a Milter (mail filter) response is
unavailable (for example, bad Postfix configuration or Milter
failure).
diff -Nru postfix-3.10.10/man/man8/smtpd.8 postfix-3.10.11/man/man8/smtpd.8
--- postfix-3.10.10/man/man8/smtpd.8 2025-10-23 23:05:15.000000000 +0300
+++ postfix-3.10.11/man/man8/smtpd.8 2026-06-17 20:13:38.000000000 +0300
@@ -259,7 +259,7 @@
The mail filter protocol version and optional protocol extensions
for communication with a Milter application; prior to Postfix 2.6
the default protocol is 2.
-.IP "\fBmilter_default_action (tempfail)\fR"
+.IP "\fBmilter_default_action (see 'postconf -d milter_default_action'
output)\fR"
The default action when a Milter (mail filter) response is
unavailable (for example, bad Postfix configuration or Milter
failure).
diff -Nru postfix-3.10.10/src/dns/dns_strrecord.c
postfix-3.10.11/src/dns/dns_strrecord.c
--- postfix-3.10.10/src/dns/dns_strrecord.c 2023-02-13 23:58:00.000000000
+0300
+++ postfix-3.10.11/src/dns/dns_strrecord.c 2026-06-17 20:06:59.000000000
+0300
@@ -99,6 +99,8 @@
} else {
vstring_sprintf_append(buf, "[truncated record]");
}
+ /* 202605 Missing break found by TristanInSec using ASAN. */
+ break;
/*
* We use the SOA record TTL to determine the negative reply TTL. We
diff -Nru postfix-3.10.10/src/global/mail_version.h
postfix-3.10.11/src/global/mail_version.h
--- postfix-3.10.10/src/global/mail_version.h 2026-05-15 21:38:35.000000000
+0300
+++ postfix-3.10.11/src/global/mail_version.h 2026-06-17 20:07:33.000000000
+0300
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20260515"
-#define MAIL_VERSION_NUMBER "3.10.10"
+#define MAIL_RELEASE_DATE "20260617"
+#define MAIL_VERSION_NUMBER "3.10.11"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.10.10/src/global/smtp_stream.c
postfix-3.10.11/src/global/smtp_stream.c
--- postfix-3.10.10/src/global/smtp_stream.c 2024-01-12 21:39:59.000000000
+0300
+++ postfix-3.10.11/src/global/smtp_stream.c 2026-06-17 20:06:59.000000000
+0300
@@ -457,8 +457,12 @@
&& vstream_feof(stream) == 0 && vstream_ferror(stream) == 0)
while ((next_char = VSTREAM_GETC(stream)) != VSTREAM_EOF
&& next_char != '\n')
- /* void */ ;
-
+ if (--bound <= 0) {
+ msg_warn("disabling input from %s", VSTREAM_PATH(stream));
+ vstream_fpurge(stream, VSTREAM_PURGE_READ);
+ shutdown(vstream_fileno(stream), SHUT_RD);
+ break;
+ }
return (last_char);
}
diff -Nru postfix-3.10.10/src/smtp/smtp_proto.c
postfix-3.10.11/src/smtp/smtp_proto.c
--- postfix-3.10.10/src/smtp/smtp_proto.c 2025-10-23 21:17:45.000000000
+0300
+++ postfix-3.10.11/src/smtp/smtp_proto.c 2026-06-17 20:06:59.000000000
+0300
@@ -1867,7 +1867,7 @@
vstring_sprintf_append(next_command, " ORCPT=%s",
vstring_str(session->scratch));
} else {
- xtext_quote(session->scratch, orcpt_type_addr, "=");
+ xtext_quote(session->scratch, orcpt_type_addr, "+=");
vstring_sprintf_append(next_command, " ORCPT=%s",
vstring_str(session->scratch));
}
diff -Nru postfix-3.10.10/src/smtpd/smtpd.c postfix-3.10.11/src/smtpd/smtpd.c
--- postfix-3.10.10/src/smtpd/smtpd.c 2025-10-23 19:45:51.000000000 +0300
+++ postfix-3.10.11/src/smtpd/smtpd.c 2026-06-17 20:13:38.000000000 +0300
@@ -233,7 +233,7 @@
/* The mail filter protocol version and optional protocol extensions
/* for communication with a Milter application; prior to Postfix 2.6
/* the default protocol is 2.
-/* .IP "\fBmilter_default_action (tempfail)\fR"
+/* .IP "\fBmilter_default_action (see 'postconf -d milter_default_action'
output)\fR"
/* The default action when a Milter (mail filter) response is
/* unavailable (for example, bad Postfix configuration or Milter
/* failure).
@@ -3958,6 +3958,21 @@
off_t len;
/*
+ * Skip inputs below 1.5 times the message size limit, staying in sync
+ * with the remote SMTP client. Otherwise, force a negative chunk_size
+ * value to disable reading and discarding input here, and to force a
+ * "lost connection" condition upon a later read operation.
+ */
+ if (ENFORCING_SIZE_LIMIT(var_message_limit)
+ && state->act_size / 1.5 > var_message_limit - chunk_size / 1.5) {
+ chunk_size = -1;
+ } else if (state->act_size > OFF_T_MAX - chunk_size) {
+ state->act_size = OFF_T_MAX;
+ } else {
+ state->act_size += chunk_size;
+ }
+
+ /*
* Read and discard content from the remote SMTP client. TODO: drop the
* connection in case of overload.
*/
@@ -3975,6 +3990,16 @@
va_end(ap);
/*
+ * Force a "lost connection" condition upon the next read operation.
+ */
+ if (chunk_size < 0) {
+ msg_warn("%s: too much BDAT content -- disabling further input from %s",
+ state->queue_id ? state->queue_id : "NOQUEUE",
+ state->namaddr);
+ shutdown(vstream_fileno(state->client), SHUT_RD);
+ }
+
+ /*
* Reset state, or drop subsequent BDAT payloads until BDAT LAST or RSET.
*/
if (final_chunk)
diff -Nru postfix-3.10.10/src/tls/tls_dane.c postfix-3.10.11/src/tls/tls_dane.c
--- postfix-3.10.10/src/tls/tls_dane.c 2024-10-11 01:15:24.000000000 +0300
+++ postfix-3.10.11/src/tls/tls_dane.c 2026-06-17 20:06:59.000000000 +0300
@@ -518,7 +518,7 @@
q, a, r, rr->type);
/* Drop truncated records */
- if ((dlen = rr->data_len - 3) < 0) {
+ if ((dlen = rr->data_len - 3) <= 0) {
msg_warn("%s%s%s: truncated TLSA RR length == %u",
q, a, r, (unsigned) rr->data_len);
return (0);