http://blog.gmane.org/gmane.mail.postfix.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.mail.postfix.announce/140 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.9.3.html] Postfix stable release 2.9.3, and legacy releases 2.8.11, 2.7.10, 2.6.16 are available. They contains workarounds that are already part of Postfix 2.10. * OpenSSL related (all supported Postfix versions). o Some people have reported program crashes when the OpenSSL library was updated while Postfix was accessing the Postfix TLS session cache. To avoid this, the Postfix TLS session cache ID now includes the OpenSSL library version number. This cache ID is not shared via the network. o The OpenSSL workaround introduced with the previous stable and legacy releases did not compile with older gcc compilers. These compilers can't handle #ifdef inside a macro invocation (NOT: definition). * Postfix 2.9 only. o The postconf command flagged parameter "-o name=value" settings in master.cf as "unused" when those settings were used only in main.cf. Problem reported by Michael Tokarev. * postscreen(8) related (Postfix 2.9, Postfix 2.8). o To avoid repeated warnings from postscreen(8) with "connect to private/dnsblog service: Connection refused" on FreeBSD, the dnsblog(8) daemon now uses the single_server program driver instead of the multi_server driver. This one-line code change has no performance impact for other systems, and eliminates a high-frequency accept() race on a shared socket that appears to cause trouble on FreeBSD. The same single_server program driver has proven itself for many years in smtpd(8). Problem reported by Sahil Tandon. * Laptop-friendly support (all supported Postfix versions). A little-known secret is that Postfix has always had support to avoid unnecessary disk spin-up for MTIME updates, by doing s/fifo/unix/ in master.cf (this is currently not supported on Solaris systems). However, two minor fixes are needed to make this bullet-proof. o In laptop-friendly mode, the "postqueue -f" and "sendmail -q" commands did not wait until their requests had reached the pickup and qmgr servers before closing their UNIX-domain request sockets. o In laptop-friendly mode, the unused postkick command waited for more than a minute because the event_drain() function was comparing bitmasks incorrectly on systems with kqueue(2), epoll(2) or /dev/poll support. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2012-05-21T12:55:13 http://comments.gmane.org/gmane.mail.postfix.announce/139 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.9.2.html] Postfix stable release 2.9.2, and legacy releases 2.8.10, 2.7.9, 2.6.15 are available. They contains workarounds that are already part of Postfix 2.10. These releases add support to turn off the TLSv1.1 and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these protocols are known to cause inter-operability problems, for example with some hotmail services. The radical workaround is to temporarily turn off problematic protocols globally: /etc/postfix/main.cf: smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 However, it may be better to temporarily turn off problematic protocols for broken sites only: /etc/postfix/main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy /etc/postfix/tls_policy: example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 Notes: * Note the use of ":" instead of comma or space. Also, note that there is NO space around the "=" in "protocols=". * The smtp_tls_policy_maps lookup key must match the "next-hop" destination that is given to the Postfix SMTP client. If you override the next-hop destination with transport_maps, relayhost, sender_dependent_relayhost_maps, or otherwise, you need to specify the same destination for the smtp_tls_policy_maps lookup key. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2012-04-24T21:01:29 http://comments.gmane.org/gmane.mail.postfix.announce/138 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.9.html] Postfix stable release 2.8.9 is available. This contains fixes that are already part of Postfix 2.9 and 2.10. * The "change header" milter request could replace the wrong header. A long header name could match a shorter one, because a length check was done on the wrong string. Reported by Vladimir Vassiliev. * Core dump when postlog emitted the "usage" message, caused by an extraneous null assignment. Reported by Kant (fnord.hammer). You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2012-03-05T21:21:02 http://comments.gmane.org/gmane.mail.postfix.announce/137 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.9.1.html] Postfix stable release 2.9.1 is available. This contains fixes that are already part of Postfix 2.10. * The "change header" Milter request could replace the wrong header. A long header name could match a shorter one, because a length check was done on the wrong string. Reported by Vladimir Vassiliev. This was introduced with Postfix 2.3. * "sendmail -bs" segfault, due to a missing guard statement after an smtpd_check_rewrite() call was moved closer to the command processor loop. Fix by Bartek Szady. This was introduced 20111219 near the end of the 2.9 development cycle. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2012-02-22T13:34:32 http://comments.gmane.org/gmane.mail.postfix.announce/136 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.7.8.html] Postfix legacy releases 2.7.8, 2.6.14 and 2.5.17 are available. This is the final update for Postfix 2.5, released in 2008. From now on, the supported stable and legacy releases are Postfix 2.6 .. 2.9. New features appear in the Postfix 2.10 development release. * (Postfix 2.5, 2.6) While the Postfix SMTP client's protocol parser uses the last SMTP reply line as intended, the error processing routine was taking information from the beginning of the response. This was causing "Protocol error" bounces with postscreen multi-line responses and Postfix &lt;= 2.6 clients. * (Postfix 2.5, 2.6, 2.7) The fix for local delivery agent database lookup errors was incomplete. The fix correctly added new code to detect database lookup errors with mailbox_transport_maps, mailbox_command_maps or fallback_transport_maps, but it failed to log the problem, and to produce a defer logfile record which is needed for "delayed mail" and "mail too old" delivery status notifications. * (Postfix 2.5, 2.6, 2.7) The trace(8) service, used for DSN SUCCESS notifications, did not distinguish between notifications for a non-bounce or a bounce message, causing it to "reply" to mail with the null sender address. Problem reported by Sabahattin Gucukoglu. * (Postfix 2.5, 2.6, 2.7) The "change header" milter request could replace the wrong header. A long header name could match a shorter one, because a length check was done on the wrong string. Reported by Vladimir Vassiliev. * (Postfix 2.7) Support for Dovecot auth over TCP sockets, using code that already existed for testing purposes. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2012-02-06T15:45:02 http://comments.gmane.org/gmane.mail.postfix.announce/134 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.9.0.html] Postfix stable release 2.9.0 is available. The main changes in no particular order are: * Support for long, non-repeating, queue IDs (queue file names). The main benefit of non-repeating names is simpler logfile analysis. See the description of "enable_long_queue_ids" in postconf(5) for details. * Memcache client support, and support to share postscreen(8) and verify(8) caches via the proxymap server. Details are in memcache_table(5) and MEMCACHE_README. * Gradual degradation: if a database is unavailable (can't open, most read or write errors) a Postfix daemon will log a warning and continue providing the services that don't depend on that table, instead of immediately terminating with a fatal error. To terminate immediately when a database file can't be opened, specify "daemon_table_open_error_is_fatal = yes". * Revised postconf(1) command. It warns about unused parameter name=value settings in main.cf or master.cf (likely mistakes), understands "dynamic" parameter names such as names that depend on the name of a master.cf entry (finally, "postconf -n" shows all parameter settings), and it can display main.cf and master.cf in a more user-friendly format (postconf -nf, postconf -Mf). * Read/write deadline support in the SMTP client and server to defend against application-level DOS attacks that very slowly write or read data one byte at a time. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2012-02-01T13:58:43 http://comments.gmane.org/gmane.mail.postfix.announce/133 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.8.html] Postfix legacy release 2.8.8 is available. This contains fixes that are already part of Postfix 2.9 and 2.10. * The Postfix sqlite client, introduced with Postfix 2.8, had an embarassing bug in its quoting routine. As the result of a last-minute code cleanup before release, this routine returned the unquoted text instead of the quoted text. The opportunities for mis-use are limited: Postfix sqlite database files are usually owned by root, and Postfix daemons usually run with non-root privileges so they can't corrupt the database. This problem was reported by Rob McGee (rob0). * The Postfix 2.8.4 fix for local delivery agent database lookup errors was incomplete. The fix correctly added new code to detect database lookup errors with mailbox_transport_maps, mailbox_command_maps or fallback_transport_maps, but it failed to log the problem, and to produce a defer logfile record which is needed for "delayed mail" and "mail too old" delivery status notifications. * The trace(8) service, used for DSN SUCCESS notifications, did not distinguish between notifications for a non-bounce or a bounce message, causing it to "reply" to mail with the null sender address. Problem reported by Sabahattin Gucukoglu. * Support for Dovecot auth over TCP sockets, using code that already existed for testing purposes. Patrick Koetter kindly provided an update for the SASL_README file. * Workaround in the LDAP client for changes in the under-documented OpenLDAP API, by Victor Duchovni. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. </pre> Wietse Venema 2012-02-01T13:57:43 http://comments.gmane.org/gmane.mail.postfix.announce/132 <pre> [An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.7.html] Postfix stable release 2.8.7 is available. This contains a workaround for a problem that is fixed in Postfix 2.9. * The postscreen daemon, which is not enabled by default, sent non-compliant SMTP responses (220- followed by 421) when it could not give a connection to a real smtpd process. These responses caused some remote SMTP clients to return mail as undeliverable. The workaround is to hang up after sending 220- without sending the 421 "sorry" reply; this is harmless. The complete fix involves too much change for a stable release: send the 220 greeting, wait for the EHLO command, then send the 421 "sorry" reply and hang up. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2011-11-07T14:55:10 http://comments.gmane.org/gmane.mail.postfix.announce/131 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.6.html] Postfix stable release 2.8.6, 2.7.7, 2.6.13 and 2.5.16 are available. These contain fixes that are also included with the Postfix 2.9 experimental release. * The Postfix SMTP daemon sent "bare" newline characters instead of &lt;CR&gt;&lt;LF&gt; when a header_checks REJECT pattern matched multi-line header. This bug was introduced with Postfix 1.1. * The Postfix SMTP daemon sent "bare" newline characters instead of &lt;CR&gt;&lt;LF&gt; when an smtpd_proxy_filter returned a multi-line response. This bug was introduced with Postfix 2.1. * For compatibility with future EAI (email address internationalization) implementations, the Postfix MIME processor no longer enforces the strict_mime_encoding_domain check on unknown message subtypes such as message/global*. This check is disabled by default. * The Postfix master daemon could report a panic error ("master_spawn: at process limit") after the process limit for some service was reduced with "postfix reload". This bug existed in all Postfix versions. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2011-10-24T12:10:05 http://comments.gmane.org/gmane.mail.postfix.announce/130 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.5.html] Postfix stable release 2.8.5, 2.7.6, 2.6.12, and 2.5.15 are available. These contain fixes and workarounds for the Postfix Milter client that were already included with the Postfix 2.9 experimental release. * The Postfix Milter client logged a "milter miltername: malformed reply" error when a Milter sent an SMTP response without enhanced status code (i.e. "XXX Text" instead of "XXX X.X.X Text"). * The Postfix Milter client sent a random {client_connections} macro value when the remote SMTP client was not subject to any smtpd_client_* limit. As a workaround, it now sends a zero value instead. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2011-09-03T14:30:24 http://comments.gmane.org/gmane.mail.postfix.announce/129 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.7.5.html] Postfix legacy releases 2.7.5, 2.6.11 and 2.5.14 are available. These contain fixes and workarounds that were already included with Postfix stable release 2.8.4. Fixed with Postfix version 2.7.5, 2.6.11 and 2.5.14: * Performance: a high load of DSN success notification requests could slow down the queue manager. Solution: make the trace client asynchronous, just like the bounce and defer clients. * The local(8) delivery agent ignored table lookup errors in mailbox_command_maps, mailbox_transport_maps, fallback_transport_maps and (while bouncing mail to alias) alias owner lookup. * Workaround: dbl.spamhaus.org rejects lookups with "No IP queries" even if the name has an alphanumerical prefix. We play safe, and skip both RHSBL and RHSWL queries for names ending in a numerical suffix. * The Postfix Milter client reported a temporary error instead of "file too large" in three cases. * Linux kernel version 3 support. Linus Torvalds has reset the counters for reasons not related to changes in code. Fixed with Postfix 2.7.5: * The "sendmail -t" command reported "protocol error" instead of "file too large", "no space left on device" etc. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2011-07-11T12:22:04 http://comments.gmane.org/gmane.mail.postfix.announce/128 <pre> Postfix stable release 2.8.4 [An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.4.html] Postfix stable release 2.8.4 is available. This contains fixes and workarounds that were already included with the Postfix 2.9 experimental release. Where applicable these fixes will also be made available for the legacy releases Postfix 2.5..2.7. * Performance: a high load of DSN success notification requests could slow down the queue manager. Solution: make the trace client asynchronous, just like the bounce and defer clients. * The local(8) delivery agent ignored table lookup errors in mailbox_command_maps, mailbox_transport_maps, fallback_transport_maps and (while bouncing mail to alias) alias owner lookup. * Workaround: dbl.spamhaus.org rejects lookups with "No IP queries" even if the name has an alphanumerical prefix. We play safe, and skip both RHSBL and RHSWL queries for names ending in a numerical suffix. * The "sendmail -t" command reported "protocol error" instead of "file too large", "no space left on device" etc. * The Postfix Milter client reported a temporary error instead of "file too large" in three cases. * Linux kernel version 3 support. Linus Torvalds has reset the counters for reasons not related to changes in code. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse </pre> Wietse Venema 2011-07-07T19:51:48 http://comments.gmane.org/gmane.mail.postfix.announce/127 <pre>[On-line version will be at http://www.postfix.org/CVE-2011-1720.html] Summary ======= The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN (the ANONYMOUS mechanism is unaffected but should not be enabled for different reasons). See below for instructions to determine what systems are affected. Examples of affected Cyrus SASL authentication methods are CRAM-MD5, DIGEST-MD5, EXTERNAL, GSSAPI, KERBEROS_V4, NTLM, OTP, PASSDSS-3DES-1, and SRP. The error was introduced with the Postfix SASL patch, and is present in all Postfix versions where the command "postconf mail_release_date" reports a value of 20000314 (March 14, 2000) or greater. This problem was discovered by Thomas Jarosch of Intra2net AG. The memory corruption is known to result in a program crash (SIGSEV). Remote code execution cannot be excluded. Such code would execute as the unprivileged "postfix" user. This user has no control over processes that run with non-postfix privileges including Postfix processes running as root; the impact may be reduced with configurations that enable the Postfix chroot feature or that use platform-dependent privilege-reducing features. The problem is fixed in Postfix stable releases 2.5.13, 2.6.10, 2.7.4, 2.8.3; in the Postfix 2.9 development release as of May 1, 2011; patches exist for Postfix version 1.1 and later. All this is available from Postfix mirrors at http://www.postfix.org/download.html. What systems are affected ========================= The Postfix SMTP client is not affected. Affected are Postfix SMTP server configurations that have SASL authentication turned on, and that use Cyrus SASL authentication mechanisms other than ANONYMOUS, PLAIN and LOGIN. Here, * the command "postconf smtpd_sasl_auth_enable" produces as output "smtpd_sasl_auth_enable = yes"; * and the command "postconf smtpd_sasl_type" produces as output "smtpd_sasl_type = cyrus" (or "smtpd_sasl_type: unknown parameter"); * and the Postfix SMTP server's reply to the EHLO command shows AUTH methods other than ANONYMOUS, PLAIN and LOGIN. Examples of other methods are CRAM-MD5 or DIGEST-MD5. Example for the "port 25" service: $ telnet server.example.com 25 Connected to server.example.com. Escape character is '^]'. 220 server.example.com ESMTP Postfix ehlo client.example.com 250-server.example.com 250-PIPELINING 250-SIZE 10240000 250-STARTTLS 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5 250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. Example for the "port 587" (submission) service. This service is not enabled by default. $ openssl s_client -quiet -starttls smtp -connect server.example.com:587 [TLS handshake information deleted] 250 DSN ehlo client.example.com 250-server.example.com 250-PIPELINING 250-SIZE 10240000 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5 250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Although it is not affected, the ANONYMOUS authentication mechanism should not be enabled as it can make an SMTP server an open relay. What systems are not affected ============================= The Postfix SMTP client is not affected. Not affected are Postfix SMTP server configurations that have SASL authentication turned off, including configurations without SASL support compiled in. Here, the command "postconf smtpd_sasl_auth_enable" produces as output "smtpd_sasl_auth_enable = no". Not affected are Postfix SMTP server configurations that use Dovecot SASL instead of Cyrus SASL. Here, the command "postconf smtpd_sasl_type" produces as output "smtpd_sasl_type = dovecot". Not affected are Postfix SMTP server configurations that enable Cyrus SASL support with only the PLAIN or LOGIN methods, or both. Here, * the command "postconf smtpd_sasl_auth_enable" produces as output "smtpd_sasl_auth_enable = yes"; * and the command "postconf smtpd_sasl_type" produces as output "smtpd_sasl_type = cyrus" (or "smtpd_sasl_type: unknown parameter"); * and the Postfix SMTP server's reply to the EHLO command shows only AUTH mechanisms of PLAIN, LOGIN, or both. Example for the "port 25" service: $ telnet server.example.com 25 Connected to server.example.com. Escape character is '^]'. 220 server.example.com ESMTP Postfix ehlo client.example.com 250-server.example.com 250-PIPELINING 250-SIZE 10240000 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. Example for the "port 587" (submission) service. This service is not enabled by default. $ openssl s_client -quiet -starttls smtp -connect server.example.com:587 [TLS handshake information deleted] 250 DSN ehlo client.example.com 250-server.example.com 250-PIPELINING 250-SIZE 10240000 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Not affected is the ANONYMOUS authentication mechanism, but this should not be enabled as it can make an SMTP server an open relay. Workarounds =========== Disable Cyrus SASL authentication mechanisms for the Postfix SMTP server other than PLAIN and LOGIN. The mechanisms are specified in a Cyrus SASL smtpd.conf configuration file. This file may be found in /etc/postfix/sasl/, /var/lib/ sasl2/, /etc/sasl2/, /usr/lib/sasl2/ or /usr/local/lib/sasl2/. In this file, update the "mech_list:" entry and remove any methods other than PLAIN and LOGIN. For example, this configuration is not affected: mech_list: PLAIN LOGIN Execute the command "postfix reload" to make the change effective, then verify that the "port 25" and "port 587" services no longer announce other SASL mechanisms, as shown in the previous section. Technical details ================= The Postfix SMTP server creates a SASL handle for each SMTP session, when SASL authentication is enabled. The Postfix SMTP server will use this SASL handle until it closes the SMTP connection (the Postfix SMTP server may create a new server SASL handle when the client and server agree to switch from a plaintext session to a TLS-encrypted session, but this does not eliminate the memory corruption problem). According to a comment in a Cyrus SASL include source file, a server must not reuse a Cyrus SASL server handle after client authentication failure. Instead, a server must create a new Cyrus SASL server handle including mechanism list, before processing another client authentication request. The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11). In the following example, S: indicates server output and C: indicates client input. Line numbers are prepended for reference in the background discussion in the next section. 1 S: 220 server.example.com ESMTP 2 C: EHLO client.example.com 3 S: 250-server.example.com 4 S: ...other server output skipped... 5 S: 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5 6 S: 250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5 7 S: ...other server output skipped... 8 C: AUTH CRAM-MD5 9 S: 334 PDg5ODE0OTI3MS4xMDQyMTg1OUBzZXJ2ZXIuZXhhbXBsZS5jb20+Cg== 10 C: * 11 S: 501 5.7.0 Authentication aborted 12 C: AUTH DIGEST-MD5 13 Connection closed by foreign host. In the mail logfile, Postfix will log a warning similar to: postfix/master[2213]: warning: process /usr/libexec/postfix/smtpd pid 22585 killed by signal 11 Background ========== Each Cyrus SASL authentication mechanism is implemented with a) one statically-allocated shared data structure containing data and pointers to functions that implement the mechanism, and b) dynamically-allocated session context data structures with authentication state. When the Postfix SMTP server receives "AUTH CRAM-MD5" (line 8 above), the Cyrus SASL CRAM-MD5 method initializes one CRAM-MD5 session context data structure, and generates the "step 1" initial client challenge which the Postfix SMTP server sends in line 9 above. When the SMTP client sends "*" to abort the CRAM-MD5 authentication request (line 10 above), the CRAM-MD5 session context data structure remains attached to the Cyrus SASL server handle. Postfix fails to create a new Cyrus SASL server handle when the client sends the subsequent "AUTH DIGEST-MD5" request (line 12 above); the DIGEST-MD5 method will therefore use the "wrong" session context data structure (which was created after the "AUTH CRAM-MD5" request on line 8), and will skip its "step 1" challenge. Each Cyrus SASL authentication method has a different context data structure layout. Because of these differences, the bits from the CRAM-MD5 method's context data structure will not work as intended with the DIGEST-MD5 method. As shown in the stack trace below, the Postfix SMTP server process crashes in "step 2" of the DIGEST-MD5 authentication protocol. This happens while attempting to read from a pointer that contains an invalid address. In this particular example, the Postfix SMTP server crashes while running under control of the GDB debugger (see the Postfix master(5) manpage discussion of the -D option), while processing the SMTP commands shown in the example above. (gdb) where #0 0x884bbedf in clear_reauth_entry (reauth=0x206e6f69, type=SERVER, utils=0x88534400) at digestmd5.c:1579 #1 0x884be648 in digestmd5_server_mech_step2 (stext=0x88518150, sparams=0x8850c840, clientin=0x0, clientinlen=0, serverout=0xbfbfe140, serveroutlen=0xbfbfe144, oparams=0x8855e860) at digestmd5.c:2588 #2 0x884be9c5 in digestmd5_server_mech_step (conn_context=0x88518150, sparams=0x8850c840, clientin=0x0, clientinlen=0, serverout=0xbfbfe140, serveroutlen=0xbfbfe144, oparams=0x8855e860) at digestmd5.c:2689 #3 0x882a51e9 in sasl_server_step (conn=0x8855e000, clientin=0x0, clientinlen=0, serverout=0xbfbfe140, serveroutlen=0xbfbfe144) at server.c:1430 #4 0x882a5002 in sasl_server_start (conn=0x8855e000, mech=0x8854dc08 "DIGEST-MD5", clientin=0x0, clientinlen=0, serverout=0xbfbfe140, serveroutlen=0xbfbfe144) at server.c:1362 #5 0x08066bf7 in xsasl_cyrus_server_first (xp=0x8851af18, sasl_method=0x8854dc08 "DIGEST-MD5", init_response=0x0, reply=0x8851aee8) at xsasl_cyrus_server.c:529 [Remainder of stack trace omitted for brevity] This stack trace was obtained after informing the GDB debugger of SASL authentication methods that are linked in at runtime (example: "add-symbol-file /usr/local/lib/sasl2/libdigestmd5.so.2 0x884b8e50"). Without that information, GDB reports a corrupted stack, because it does not know that the program is executing legitimate code. Impact analysis =============== What context data structure bits does the DIGEST-MD5 method inherit from the aborted CRAM-MD5 authentication request? As mentioned earlier, different Cyrus SASL authentication methods have different per-session context data structures. In particular, the CRAM-MD5 method uses a small structure while DIGEST-MD5 uses a larger one. The DIGEST-MD5 method will therefore access memory outside the block that was allocated during the aborted CRAM-MD5 request. That is, it accesses random memory on the heap. The contents of that memory will depend on the malloc implementation and on the program execution history. Version 2.1.23 of the Cyrus SASL library implements 12 authentication methods. Of these, 9 methods maintain server session context data structures that contain some mix of data and data pointers. When these are read from random heap memory, or from a structure that was allocated for a different SASL mechanism, all kinds of things could happen. This is why remote code execution cannot be excluded. Why the Cyrus SASL PLAIN and LOGIN methods are not affected =========================================================== There is no memory corruption problem with the "AUTH PLAIN" method, because this does not use or create a dynamically-allocated session context data structure. In particular, sending "AUTH LOGIN" after aborting or failing an "AUTH PLAIN" request does not result in memory corruption, because the PLAIN authentication method does not allocate a session context data structure. Also, sending "AUTH PLAIN" after aborting or failing an "AUTH LOGIN" request does not result in memory corruption, because the PLAIN authentication method ignores the per-session context data structure that is created by the LOGIN authentication method. Finally, there is no memory corruption when the LOGIN authentication method inherits a session context data structure from an aborted or failed "AUTH LOGIN" request. It is for these reasons that Postfix SMTP servers with Cyrus SASL support for only PLAIN and LOGIN are not affected. Fortunately, PLAIN + LOGIN is the most commonly-used configuration, usually combined with TLS encryption to protect passwords on the wire. There will be a minor memory leak, but the Postfix SMTP server limits the number of failed requests and thereby limits the leak. There is no memory corruption problem with the "AUTH ANONYMOUS" method, because just like "AUTH PLAIN" this does not create or use a dynamically-allocated session context data structure. However, "AUTH ANONYMOUS" support should not be enabled as it can make an SMTP server an open relay. Timeline ======== * April 8, 2011: Thomas Jarosch (Intra2net AG) reported the problem. * April 18, 2011: After completing a detailed analysis of what configurations are affected, and after testing solutions for Postfix 1.1 .. 2.9, Wietse asked CERT/CC to notify vendors. Thank you, CERT/CC. * April 20, 2011: Pre-release versions available for Postfix 2.5 .. 2.8 and patches for Postfix 1.1 .. 2.9. * Most vendors honored Wietse's request to avoid non-public information in plaintext email headers or content. The exceptions were SUSE and Red Hat. Shame on you, SUSE and Red Hat. * May 9, 2011: Announcement and public release of fixes. </pre> Wietse Venema 2011-05-09T12:39:15 http://comments.gmane.org/gmane.mail.postfix.announce/126 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.2.html] Postfix stable release 2.8.2 is available. This release has minor fixes that are already in the experimental (2.9) release. - Bugfix: postscreen DNSBL scoring error. When a client disconnected and then reconnected before all DNSBL results for the earlier session arrived, DNSBL results for the earlier session would be added to the score for the later session. This is very unlikely to have affected any legitimate mail. - Workaround: the SMTP client did not support mail to [ipv6:ipv6addr]. - Portability: FreeBSD closefrom() was back-ported to FreeBSD 7, breaking FreeBSD 7.x support retroactively. - Portability: the SUN compiler had trouble with a pointer expression of the form ``("text1" "text2") + constant'' so we don't try to be so clever. You can find Postfix version 2.8.2 at the mirrors listed at http://www.postfix.org/ Wietse </pre> Wietse Venema 2011-03-21T21:07:58 http://comments.gmane.org/gmane.mail.postfix.announce/125 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.7.3.html] Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available. These releases contain a fix for CVE-2011-0411 which allows plaintext command injection with SMTP sessions over TLS. This defect was introduced with Postfix version 2.2. The same flaw exists in other implementations of the STARTTLS command. Note: CVE-2011-0411 is an issue only for the minority of SMTP clients that actually verify server certificates. Without server certificate verification, clients are always vulnerable to man-in-the-middle attacks that allow attackers to inject plaintext commands or responses into SMTP sessions, and more. Postfix 2.8 and 2.9 are not affected. The following problems were fixed with the Postfix legacy releases: * Fix for CVE-2011-0411: discard buffered plaintext input, after reading the SMTP "STARTTLS" command or response. * Fix to the local delivery agent: look up the "unextended" address in the local aliases database, when that address has a malformed address extension. * Fix to virtual alias expansion: report a tempfail error, instead of silently ignoring recipients that exceed the virtual_alias_expansion_limit or the virtual_alias_recursion_limit. * Fix for Solaris: the Postfix event engine was deaf for SIGHUP and SIGALRM signals after the switch from select() to /dev/poll. Symptoms were delayed "postfix reload" response, and killed processes with watchdog timeout values under 100 seconds. * Fix for HP-UX: the Postfix event engine was deaf for SIGALRM signals. Symptoms were killed processes with watchdog timeout values under 100 seconds. * Fix for BSD-ish mkdir() to prevent maildir directories from inheriting their group ownership from the parent directory. * Fix to the SMTP client: missing support for mail to [ipv6:ipv6addr] address literal destinations. * FreeBSD back-ported closefrom() from FreeBSD 8x to 7x, breaking Postfix builds retroactively. Historical note: Wietse Venema discovered the problem two weeks before the Postfix 2.8 release, and silently fixed it pending further investigation. While investigating the problem's scope and impact, Victor Duchovni found that many other TLS applications were also affected. At that point, CERT/CC was asked to coordinate with the problem's resolution. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. </pre> Wietse Venema 2011-03-07T20:18:40 http://comments.gmane.org/gmane.mail.postfix.announce/124 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.1.html] Postfix stable release 2.8.1 is available. This release fixes one "signal 11" bug with SMTP server debug logging, and cleans up some code and documentation. - Fixed a "signal 11" bug with Postfix SMTP server debug logging at smtpd_tls_loglevel &gt;= 3. - The Postfix SMTP and QMQP servers no longer look up IPv6 address information while looking up the FCRDNS (forward-confirmed reverse DNS) hostname for an IPv4 remote client (and vice versa). - The postscreen(8) daemon no longer logs a "connection reset by peer" warning when a remote SMTP client hangs up prematurely. - Removed spurious configuration parameters from "postconf" output, by deleting the #ifdef MIGRATION_WARNING transitional code from postscreen(8). - Assorted minor documentation fixes. You can find Postfix version 2.8.1 at the mirrors listed at http://www.postfix.org/ Wietse </pre> Wietse Venema 2011-02-23T01:05:06 http://comments.gmane.org/gmane.mail.postfix.announce/123 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.0.html] Postfix stable release 2.8.0 is available. This release continues the move towards improving code and documentation, and making the system better prepared for changes in the threat environment. - The postscreen daemon (a zombie blocker in front of Postfix) is now included with the stable release. postscreen now supports TLS and can log the rejected sender, recipient and helo information. See the POSTSCREEN_README file for recommended usage scenarios. - Support for DNS whitelisting (permit_rhswl_client), and for pattern matching to filter the responses from DNS white/blacklist servers (e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]). - Improved message tracking across SMTP-based content filters; the after-filter SMTP server can log the before-filter queue ID (the XCLIENT protocol was extended). - Read-only support for sqlite databases. See sqlite_table(5) and SQLITE_README. - Support for 'footers' that are appended to SMTP server "reject" responses. See "smtpd_reject_footer" in the postconf(5) manpage. No functionality has been removed, but it is a good idea to review the RELEASE_NOTES file for the usual minor incompatibilities or limitations. You can find Postfix version 2.8.0 at the mirrors listed at http://www.postfix.org/ The same code is also available as Postfix snapshot 2.9-20100120. Updated versions of Postfix version 2.7, 2.6, 2.5 and 2.4 will be released as time permits. Support for Postfix 2.4 will end soon. Wietse </pre> Wietse Venema 2011-01-21T00:47:18 http://comments.gmane.org/gmane.mail.postfix.announce/122 <pre>An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.7.2.html The stable release Postfix 2.7.2 addresses the defects described below. These defects are also addressed in the legacy releases that are still maintained. Note: Postfix 2.3 and earlier are no longer updated. Support for Postfix 2.4 will end in 2011. Defects fixed with Postfix 2.7.2, 2.6.8, 2.5.11, and 2.4.15: - Postfix no longer automatically appends the system default CA (certificate authority) certificates, when it reads the CA certificates specified with {smtp, lmtp, smtpd}_tls_CAfile or with {smtp, lmtp, smtpd}_tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately, this change may cause compatibility problems with configurations that rely on certificate verification for other purposes. To get the old behavior, specify "tls_append_default_CA = yes". - A prior fix for compatibility with Postfix &lt; 2.3 was incomplete. When pipe-to-command delivery fails with a signal, mail is now correctly deferred, instead of being returned to sender. - Poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1) connections was fixed by adapting the output buffer size to the MTU. - The SMTP server no longer applies the reject_rhsbl_helo feature to non-domain forms such as network addresses. This would cause false positives with dbl.spamhaus.org. - The Postfix SMTP server failed to deliver a "421" response and hang up the connection after Milter error. Instead, the server delivered a "503 Access denied" response and left the connection open, due to some Postfix 1.1 workaround for RFC 2821. Defects fixed with Postfix 2.7.2: - The milter_header_checks parser failed to enable any of the actions that have no effect on message delivery (warn, replace, prepend, ignore, dunno, and ok). You can find the updated Postfix versions at the mirrors listed at http://www.postfix.org/ Wietse </pre> Wietse Venema 2010-11-23T22:31:34 http://comments.gmane.org/gmane.mail.postfix.announce/121 <pre>An on-line version of this announcement is available at http://www.postfix.org/announcements/postfix-2.7.1.html Postfix stable release 2.7.1 fixes one defect in the XFORWARD implementation (for SMTP-based content filters), improves robustness, and has updates for changes in system or library interfaces. * Bugfix (introduced Postfix 2.6) in the XFORWARD implementation, which sends remote SMTP client attributes through SMTP-based content filters. The Postfix SMTP client did not skip "unknown" SMTP client attributes, causing a syntax error when sending an "unknown" client PORT attribute. * Robustness: skip LDAP queries with non-ASCII search strings, instead of failing with a database lookup error. * Safety: Postfix processes now log a warning when a matchlist has a #comment at the end of a line (for example mynetworks or relay_domains). * Portability: OpenSSL 1.0.0 changes the priority of anonymous cyphers. * Portability: Mac OS 10.6.3 requires &lt;arpa/nameser_compat.h&gt; instead of &lt;nameser8_compat.h&gt;. * Portability: Berkeley DB 5.x is now supported. The source code is available from ftp://ftp.porcupine.org/mirrors/postfix-release/index.html and from the mirrors listed at http://www.postfix.org/download.html. </pre> Wietse Venema 2010-06-08T14:07:15 http://comments.gmane.org/gmane.mail.postfix.announce/120 <pre>An on-line version of this announcement is available at http://www.postfix.org/announcements/postfix-2.6.7.html Postfix legacy release 2.6.7 contains fixes that are also included with Postfix 2.7 (stable release) and Postfix 2.8 (experimental release). NOTE: Postfix versions 2.3 and earlier are no longer updated. NOTE: Postfix versions 2.4 and 2.5 are updated only for bugfixes or critical problems. * Bugfix (introduced Postfix 2.6) in the XFORWARD implementation, which sends remote SMTP client attributes through SMTP-based content filters. The Postfix SMTP client did not skip "unknown" SMTP client attributes, causing a syntax error when sending an "unknown" client PORT attribute. * Robustness: skip LDAP queries with non-ASCII search strings, instead of failing with a database lookup error. * Portability: OpenSSL 1.0.0 changes the priority of anonymous cyphers. * Portability: Mac OS 10.6.3 requires &lt;arpa/nameser_compat.h&gt; instead of &lt;nameser8_compat.h&gt;. * Portability: Berkeley DB 5.x is now supported. The source code is available from ftp://ftp.porcupine.org/mirrors/postfix-release/index.html and from the mirrors listed at http://www.postfix.org/download.html. </pre> Wietse Venema 2010-06-08T14:08:44 http://comments.gmane.org/gmane.mail.postfix.announce/119 <pre>[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.6.6.html] Postfix legacy releases 2.6.6, 2.5.10 and 2.4.14 contain fixes that were already included with Postfix 2.7 (stable release) and Postfix 2.8 (experimental release). NOTE: Postfix 2.3 is no longer updated. Defects fixed with Postfix 2.6.6 only (more in the next section): - "postmulti -p command" did not skip disabled instances. - In the multi_instance_wrapper parameter, the expansion of $command_directory and $daemon_directory was broken. - The address_verify_poll_count parameter value was not made stress-dependent by default. This defeated the purpose of making other settings stress-dependent by default with Postfix 2.6. Defects fixed with Postfix 2.6.6, 2.5.10, 2.4.14: - Milter applications would hang up after receiving an unexpected SMFIC_HEADER (mail header) command. This problem happened with Milters that (legitimately) do not send replies for SMFIC_RCPT (recipient address) or SMFIC_DATA (start of message) commands. - Core dump while an printing error message for a malformed %&lt;letter&gt; sequence in LDAP, MySQL or PostgreSQL lookup table configuration. - Mail with zero recipients was forever stuck in the queue. This happened when "postsuper -r" was run after all the recipients of a message were delivered (or bounced), but before the message was deleted from the queue. - With hostnames such as 1-2-3-4, the valid_hostname() fuction did not recognize the '-' as a non-numeric character, causing a legitimate name to be rejected as "invalid". - The VRFY command did not accept a mailbox address inside &lt;&gt;. You can find the source code and patches at the mirrors listed at http://www.postfix.org/ Wietse </pre> Wietse Venema 2010-03-23T14:13:19 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.mail.postfix.announce