Postfix has released updates for versions 3.11.4, 3.10.11, 3.9.12, and 3.8.18, addressing five low-impact bugs that can crash the SMTP client or waste server memory under heavy load, particularly when dealing with malformed DNS responses during DANE authentication. The latest patch improves input handling for oversized SMTP commands and BDAT chunks to prevent resource exhaustion caused by misbehaving clients, and mail administrators are urged to apply the updates quickly, especially if using unbound or Cloudflare resolvers. The updates also include fixes for how TLSA records are processed, which can trigger crashes if malformed records are received, emphasizing the need for proper DNS behavior verification pre-patching. Lastly, administrators must update their mail server software by recompiling with existing configuration flags, ensuring to monitor mail logs post-upgrade for potential timeout issues
Postfix 3.11.4, 3.10.11, 3.9.12, and 3.8.18 Released: Updates Fix SMTP Client Crashes and Tighten Input Limits
Postfix 3.11.4 patches five low-impact bugs that can quietly crash the SMTP client or drain server memory under heavy load. The update specifically targets TLSA record parsing flaws that trigger null pointer reads and assertion failures when DANE authentication encounters malformed DNS responses. Three additional fixes tighten input handling for oversized SMTP command lines and BDAT chunks to prevent resource exhaustion from misbehaving clients. Mail administrators should apply the patch immediately on systems using unbound or Cloudflare resolvers while relying on rate limiting and DNSBL services to block distributed abuse.
