Postfix
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Postfix.
Postfix EOL Dates
Ensure that you are using a supported version of Postfix. Here are some end of life, and end of support dates for Postfix.
| Release | EOL Date | Status |
|---|---|---|
| 3.9 | - |
Active
|
| 3.8 | - |
Active
|
| 3.7 | - |
Active
|
| 3.6 | February 16, 2025 |
EOL
Postfix 3.6 became EOL in 2025. |
| 3.5 | March 6, 2024 |
EOL
Postfix 3.5 became EOL in 2024. |
| 3.4 | April 17, 2023 |
EOL
Postfix 3.4 became EOL in 2023. |
| 3.3 | February 5, 2022 |
EOL
Postfix 3.3 became EOL in 2022. |
| 3.2 | April 29, 2021 |
EOL
Postfix 3.2 became EOL in 2021. |
| 3.1 | March 15, 2020 |
EOL
Postfix 3.1 became EOL in 2020. |
| 3.0 | February 27, 2019 |
EOL
Postfix 3.0 became EOL in 2019. |
| 2.11 | February 21, 2018 |
EOL
Postfix 2.11 became EOL in 2018. |
| 2.10 | February 28, 2017 |
EOL
Postfix 2.10 became EOL in 2017. |
| 2.9 | February 24, 2016 |
EOL
Postfix 2.9 became EOL in 2016. |
| 2.8 | February 8, 2015 |
EOL
Postfix 2.8 became EOL in 2015. |
| 2.6 | February 11, 2013 |
EOL
Postfix 2.6 became EOL in 2013. |
| 2.5 | February 6, 2012 |
EOL
Postfix 2.5 became EOL in 2012. |
By the Year
In 2025 there have been 0 vulnerabilities in Postfix. Postfix did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 5.30 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 5.30 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 7.80 |
It may take a day or so for new Postfix vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Postfix Security Vulnerabilities
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options
CVE-2023-51764
5.3 - Medium
- December 24, 2023
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
Insufficient Verification of Data Authenticity
A certain Postfix 2.10.1-7 package could
CVE-2020-12063
5.3 - Medium
- April 24, 2020
A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a "Sender address rejected: not logged in" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked. NOTE: some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability
Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might
CVE-2017-10140
7.8 - High
- April 16, 2018
Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.
The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command
CVE-2011-0411
- March 16, 2011
The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack.
Permissions, Privileges, and Access Controls
postfix_groups.pl in Postfix 2.5.2
CVE-2008-4977
- November 06, 2008
postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files. NOTE: the vendor disputes this vulnerability, stating "This is not a real issue ... users would have to edit a script under /usr/lib to enable it.
insecure temporary file
Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks
CVE-2008-2936
- August 18, 2008
Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.
Permissions, Privileges, and Access Controls
