CERT-FR published an advisory on November 26, 2025. The note explains a logic flaw in Postfix that lets remote attackers skip SMTP restrictions and query access maps without logging in.
Affected versions
The issue is present in:
- all releases before 3.8.13
- all releases before 3.9.7
- all releases before 3.10.6
Updated builds came out on the same day.
What the bug does
Postfix checks rules during different steps of an SMTP session. These checks decide if a client, sender, or recipient is allowed. Many admins use access maps to handle these decisions.
The flaw sits in the code that finishes the DATA phase. With the right input, an attacker can make Postfix close one message but still carry parts of the previous session. Postfix then applies the wrong set of rules.
This can lead to:
- blocked senders or recipients being accepted
- access maps being queried from outside
- parts of a map leaking, or the server relaying mail it should not relay
The attack does not need authentication. Anyone who can reach port 25 or 587 can try it.
When it works
The bug shows up when these conditions match:
- smtpd_data_restrictions or smtpd_end_of_data_restrictions are set
- at least one access map is used in sender, client, or recipient checks
- the server accepts SMTP commands with odd line endings
Public exploit code is not out yet. But some admins already saw early scans in their logs.
Fix
The fix is simple: install one of the patched versions.
- 3.10.6
- 3.9.7
- 3.8.13
Most major distributions pushed updates on November 27โ28. Debian, Ubuntu, RHEL, Fedora, and the BSDs have packages ready.
After updating, reload Postfix:
postfix reloadNo extra changes are needed. The patch fixes the logic error.
Sources
- CERT-FR advisory CERTFR-2025-AVI-1040
- Postfix release notes on postfix.org
- Vendor updates from Debian, Ubuntu, and Red Hat
Servers that stay on older versions remain exposed. Updating now is the safest move.
