Made to Order Software Corporation Logo

Security Issue in many mail systems

It always amazes me when one finds a security issue that looks like something that should never have happened in the first place.

This one was found earlier this year by Wietse Venema who first discovered the issue in Postfix.

He fixed the Postfix server quickly, however, he went further. He actually tested many other servers sending commands that bypass that very security measure and to his surprised he found out that Postfix wasn't the only system affected by the problem.

For those interested, all the details of the problem can be found on the Postfix website as CVE-2011-411.

A simple explanation is as follow:

  • Connect to the server in a secure manner (i.e. using TLS)
  • Along the same connection order, include another command
  • That other command was expected to be encrypted, but the servers would accept unencrypted commands when such were sent before the server could reply to the encryption command

This problem eluded most of the mail server software engineers because it is not customary to send more than one command at a time.

In postfix, this is fixed since January 2011. The problem was there for 6 years prior.

The problem itself wasn't that bad. It just enabled hackers to get unencrypted data that for some was not expected to ever travel unencrypted.