CVE-2011-0411

Name of the Vulnerable Software and Affected Versions Postfix versions 2.4.x through 2.4.15 Postfix versions 2.5.x through 2.5.11 Postfix versions 2.6.x through 2.6.8 Postfix versions 2.7.x through 2.7.2

Description The issue allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack. This occurs due to improper restriction of I/O buffering in the STARTTLS implementation.

Recommendations For Postfix versions 2.4.x through 2.4.15, update to version 2.4.16 or later. For Postfix versions 2.5.x through 2.5.11, update to version 2.5.12 or later. For Postfix versions 2.6.x through 2.6.8, update to version 2.6.9 or later. For Postfix versions 2.7.x through 2.7.2, update to version 2.7.3 or later.