Postfix mail servers under pressure [Update]
Attackers can exploit a vulnerability in Postfix's policyd anti-spam module to take down the email server remotely and may even be able to completely take over the server. The CVE entry on the weakness states that insufficient validation of incoming SMTP commands by the w_read() function can cause a buffer overflow that allows arbitrary code to be injected.
All versions prior to the recently released version 1.81 are apparently affected by the problem. In his own comments, Cami Sardinha, the developer of policyd, says that the vulnerability does not, however, affect default installations, though he does not provide any further details.
Nonetheless, Germany's Computer Emergency Response Team has already released an advisory for the vulnerability. Mail admins who use postfix-policyd are advised to upgrade their installation as soon as possible. The Debian Linux distribution's package system, for instance, already contains patched 1.80 versions.
As if dealing with the policyd vulnerability was not enough, some Postfix admins are pestered by massive performance problems that apparently came up this week. Reports speak of a number of mail log entries referring to "lost connections" which come along with a number of hanging smtpd processes. In particular, on high-volume servers this issue can mean that no more smtpd processes are available to handle incoming email connections – timeouts and massive delays in mail traffic may result.
Postfix expert Ralf Hildebrandt told heise Security that he believes the problem could be a "spam bot network running amok". His analysis found that the problematic connections mainly come from DSL networks and do not comply with SMTP: for instance, if the mail server rejects an email with an unknown recipient, the other end abruptly disconnects the TCP connection without terminating the SMTP session properly. Thus it becomes apparent that the performance issues and the policyd vulnerability are probably unrelated.
Postfix creator Wietse Venema recommends that admins who experience a high number of hanging smtpd processes increase their process limit in master.cf and also configure the postfix system for shorter timeouts and fewer filters to allow SMTP connections to be processed as quickly as possible.
Hildebrand compiled a comprehensive list of workarounds for the performance problems, which also affect postfix installations that do not use the policyd module.
- policyd Release Notes for the new Version 1.81
- CVE-2007-3791, bug database entry on the policyd vulnerability
- lots of "lost connection after" : need help with optimization, report on Postfix performance problems
- Postfix busy, linux idle - what can one do?, compilation of suggested workarounds by Ralf Hildebrandt