The Postfix Home Page
All programmers are optimists -- Frederick P.Brooks, Jr.
First of all, thank you for your interest in the Postfix project.
Postfix attempts to be fast, easy to administer, and secure.The outside has a definite Sendmail-ish flavor, but the inside iscompletely different.
A recent twitter post reveals the existence of an exploit for Postfix,in a collection of what appear to be NSA break-in tools.https://twitter.com/JulianAssange/status/850870683831648256
This is an exploit for Postfix 2.0 - 2.2, for a bug that wasfixed 11 years ago in Postfix 2.2.11 and later.
There was a memory corruption bug in a Postfix workaround fora Sendmail bug (CERT advisory CA-2003-07, remote buffer overflowin Sendmail when message headers contain lots of comment text beforeor after an email address).
Technical details: the Postfix strip_address() function, which removes large comments from a mail header, called the printable()function on a string that wasn't null-terminated. This caused theprintable() function to scribble past the end of malloc()ed memory,corrupting the memory heap.
Running the exploit against Postfix versions less than 11 yearsold results in odd-looking email messages in the super-user'smailbox, and warning messages in the maillog file (warning: strippingtoo many comments from address: <long character string>).
About this website
This website has information about the Postfix source codedistribution. Built from source code, Postfix can run on UNIX-likesystems including AIX, BSD, HP-UX, Linux, MacOS X, Solaris, andmore.
Postfix is also distributed as ready-to-run code by operatingsystem vendors, appliance vendors, and other providers. Theirversions may have small differences with the software that isdescribed on this website.