Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.2.html]

Fixed in Postfix 3.11:

• Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon dereferenced an uninitialized pointer after a request protocol error. This daemon is not exposed to local or remote users. Found by Claude Opus 4.6.

• Bugfix (defect introduced: 20260309) a change, to set the service_name default value to "amnesiac", violated a test that parameter names in postconf output must match 1:1 with parameter names in the postlink script.

Fixed in Postfix 3.10:

• Bugfix (defect introduced: Postfix 3.10): The RFC 2047 encoder for the sender "full name" could loop when a very long full_name_encoding_charset value was configured in main.cf. Found by Claude Opus 4.6.

Fixed in Postfix 3.8, 3.9, 3.10:

• Bugfix (defect introduced: Postfix 2.3, date: 20050323): buffer over-read when Postfix an enhanced status code is not followed by other text. For example, "5.7.2" without text after the three-number code. This CANNOT be triggered with an SMTP or LMTP server response; is confirmed with an access(5) table and likely with a policy server response; can possibly be triggered with pipe-to-command output, header_checks(5), body_checks(5), an error(8) transport in transport_maps, or a milter response; and is confirmed with a DNSBL server TXT response while Postfix is configured with "$rbl_code $rbl_text" in rbl_reply_maps or default_rbl_reply. This could result in process termination. Problem reported by Kamil Frankowicz.

  For older Postfix versions, a buffer over-read patch is included at the end of this text.

• Code cleanup: log a fatal error instead of dereferencing a null pointer after a first/next cursor initialization failure. Fedor Vorobev. This affected the Berkeley DB client.

Fixed in Postfix 3.8, 3.9, 3.10. 3.11:

• Portability: support for recent FreeBSD, NetBSD, and OpenBSD versions. Brad Smith.

• Bugfix (defect introduced: Postfix 2.2, date 20041207): When truncating a database file, the cdb: database client looked at the file size from before requesting an exclusive lock on a database file, instead of the file size after the exclusive lock was granted. Found by Claude Opus 4.6.

• Bugfix (defect introduced: Postfix alpha, date 19980309): file descriptor leak after fork() failure. Found by Claude Opus 4.6.

• Mistakes in debug logging. Found by Claude Opus 4.6. This affected two files in Postfix 3.8 and 3.9, three files in Postfix 3.10 and 3.11.

• Unchecked null pointer results after an out-of-memory condition in a library dependency. Found by Claude Opus 4.6. The fix is to return an error status or to log a fatal error. This affected three source files.

• Missing or incomplete guards for ssize_t or int overflow, found by Claude Opus 4.6. This affected three source files. These limits are unlikely to be exceeded because the size of in-memory objects is limited by design (the number of in-memory objects is also limited).

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Buffer over-read patch for Postfix 2.3 .. 3.7:

 --- /var/tmp/postfix-3.8.15/src/global/dsn_util.c	2006-01-07 20:28:37.000000000 -0500 +++ src/global/dsn_util.c	2026-05-01 16:59:50.961688175 -0400 @@ -155,5 +155,5 @@  	strncpy(dp->dsn.data, cp, len);  	dp->dsn.data[len] = 0; -	cp += len + 1; +	cp += len;      } else if ((len = dsn_valid(def_dsn)) > 0) {  	strncpy(dp->dsn.data, def_dsn, len); 

• View downloads
• View release notes

• View downloads
• View release notes

• View downloads

1.6.1 (2026-05-04)

Features

• Updates: Update-available detection with non-dismissible notice and dev-reload refresh
• Plugins: New plugin hooks for compose, attachments, search, lifecycle, and routing
• Sharing: Share indicators for calendars and contacts, updated JMAP capabilities (#244)
• Mail: Auto-add recipients to trusted senders when replying
• Identity: Sanitize identity display name to prevent invalid From headers

Fixes

• Mobile: Synchronize mobile submenu view with browser history for better navigation
• Viewer: Update email viewer styles to improve overflow handling
• Auth: Ensure cookieSlot consistency during account updates in auth store
• Auth: Thread per-account cookie slot through OAuth flows
• Calendar: Square the colored left marker on calendar events
• About: Show git commit in About instead of "unknown"

i18n

• Update mailbox context menu translations across 12 locales

CSMWrap Version 3.1.0

Changelog since CSMWrap 3.0.1

New Features

• Non-VGA option ROM dispatch - CSMWrap now enumerates legacy x86 option ROMs from non-VGA PCI devices (NIC PXE ROMs, RAID/storage ROMs, etc.) and dispatches them through the CSM, mirroring what a real CSM would do.
• $PIR table synthesis - A PCI BIOS Specification 2.1 $PIR table is now synthesized from ACPI _PRT/_PRS and handed to SeaBIOS so legacy OSes can get non-ACPI PCI IRQ routing.
• Working APM shutdown and reboot - APM Set Power State (off/reboot) now trampolines through the helper core into UEFI's ResetSystem runtime service. Previously these calls were no-ops.
• CPU visibility configuration - Three new csmwrap.ini options (system_thread, cpu_allowlist, cpu_blocklist) let you pin the BIOS proxy helper core to a specific APIC ID and hide arbitrary APs.
• Auto-select GPU with working OpROM - When the primary GPU's option ROM can't be claimed (VGA arbitration fails, no legacy image, oversized ROM), CSMWrap now falls through to the next VGA-class device instead of giving up.
• And more!

Bug Fixes

• Many bug fixes and improvements across PCI, APIC/x2APIC/MP tables, AMD MTRR and PAM unlocking, AMD IOMMU teardown order, GOP/VGA arbitration, e820 generation, and more.

SeaBIOS

• Many bug fixes and improvements across xHCI/EHCI/OHCI/UHCI, AHCI/NVMe/eMMC, and more.

Full Changelog: 3.0.1...3.1.0