(Vendor Issues Fix) Re: Postfix Mail Server Can Be Crashed By Remote Users Initiating Unsuccessful Sessions
SecurityTracker Alert ID: 1002758|
SecurityTracker URL: http://securitytracker.com/id/1002758
(Links to External Site)
Date: Nov 15 2001
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Postfix version 20010228-pl05, other versions are apparently affected|
A denial of service vulnerability was reported in the Postfix mailer. A remote user can cause the mail server to consume all available memory and crash.|
It is reported that a remote user can cause the Postfix smtpd to consume all available memory by initiating a large number of unsuccessful sessions. This is apparently due to the lack of a resource limit on the dynamically allocated SMTP session log.
A remote user can cause the mail server to consume all available memory and crash.|
The vendor has released a patch that applies to any Postfix release that was issued in the year 2001. Fully patched releases will be made available shortly at various sites, including:|
The patch is provided in the Source Message.
Vendor URL: www.postfix.org/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Postfix session log memory exhaustion bugfix|
The Postfix SMTP server maintains a record of SMTP conversations
for debugging purposes. Depending on local configuration details
this record is mailed to the postmaster whenever an SMTP session
terminates with errors.
During code maintenance, a stupid error was introduced into the
code due to which the SMTP session log could grow to an unreasonable
size. This stupid error made Postfix vulnerable to a memory
This error is all my own fault and I take full responsibility for
A similarly stupid memory exhaustion vulnerability was found in
the qmail SMTP server more than four years ago. It was never fixed.
The patch below applies to any Postfix release that was issued in
the year 2001. Fully patched releases will be made available via
the usual web sites listed in www.postfix.org.
Thank you for your attention.
*** ./smtpd.c- Sun Oct 28 19:31:14 2001
--- ./smtpd.c Wed Nov 14 22:21:46 2001
*** 1060,1065 ****
--- 1060,1077 ----
state->where = SMTPD_AFTER_DOT;
+ * Notify the postmaster if there were errors. This usually indicates a
+ * client configuration problem, or that someone is trying nasty things.
+ * Either is significant enough to bother the postmaster. XXX Can't
+ * report problems when running in stand-alone mode: postmaster notices
+ * require availability of the cleanup service.
+ if (state->history != 0 && state->client != VSTREAM_IN
+ && (state->error_mask & state->notify_mask))
* Cleanup. The client may send another MAIL command.