Software 44536 Published by

Postfix 3.11.5 landed on July 6, 2026, patching a slate of remote denial-of-service triggers and local memory corruption flaws across the widely deployed mail server. The vulnerabilities were uncovered by Qualys with research assistance from Anthropic's Claude Mythos Preview, and more than half of them have been hiding in the codebase for at least two decades. One of the defects traces back to the project's original 1997 build, though Postfix's defense-in-depth architecture means most of the issues require specific configurations to actually trigger. Alongside the security fixes, the release also updates legacy branches and addresses several code hygiene gaps tied to memory management and process isolation.



Postfix 3.11.5 Drops With DoS and Memory Corruption Fixes Found Using Claude AI

The 27-year-old mail server patches 15 vulnerabilities, many hiding in the codebase since the late 1990s.

Postfix just shipped version 3.11.5, and the changelog reads like a forensic audit of legacy C code. Qualys discovered a slate of medium-impact vulnerabilities, ranging from remote denial-of-service triggers to local memory corruption, with assistance from Anthropic's Claude Mythos Preview. More than half of the defects have been sitting in the codebase for at least twenty years. One of them dates back to the pre-alpha build in 1997.

The release lands July 6, 2026, alongside legacy updates for branches 3.5 through 3.10. That includes versions that have long fallen out of official support. Postfix creator Wietse Venema noted the entire codebase sits at roughly 150,000 lines, and even with this wave of findings, the error rate remains lower than what was originally designed for. You can run a quick sanity check on the patch list yourself.

Screenshot_from_2025_07_10_18_44_58

AI-Assisted Bug Hunting in Legacy C

Qualys ran its analysis with Claude Mythos Preview acting as a research assistant. The model didn't write exploit code or replace human review. It helped trace execution paths, flag double-free conditions, and spot missing null terminators in code that hasn't seen a major rewrite since the early 2000s. When you're looking at a 150,000-line C codebase that's been shipped to production continuously since 1998, a machine learning model is essentially a very fast pair of eyes for patterns that human auditors usually spot only after a code review cycle.

Several of these defects require specific configurations to actually matter. The postscreen out-of-memory bug needs PREGREET or DNSBL checks already enabled. The postlogd stack write requires contradicting maillog_file settings across two daemons. However, at the same time, the fact that an unprivileged attacker can trigger a stack write in postlogd under those conditions is worth patching regardless. You'd have to be deliberate to chain these, but the attack surface is real.

The Claude collaboration also surfaced a cleanup daemon heap over-read that triggers during a milter shutdown reply. The over-read content gets logged after masking unprintable characters, so it leans toward an information leak rather than a remote code execution vector. Not the kind of headline that makes it onto every security blog's front page, but still exactly the sort of thing that slips past traditional static analysis.

What Actually Changed in 3.11.5

The patch set covers three main categories. Remote denial-of-service fixes for the postscreen dummy SMTP engine and smtpd_proxy_filter component. Memory corruption patches tied to LDAP double-frees, a Milter client heap overwrite, and a missing null terminator in postlogd. And the crash pile, which includes a showq daemon read-after-free, a TLSRPT NULL pointer read, and a missing recursion guard for :include: files.

There's also a round of code hygiene patches that mostly clean up edge cases. The non-BerkeleyDB re-indexing server was ignoring uid and gid arguments. tlsmgr seed generation could fall back to stack-based pseudo-randomness after a RAND_bytes() failure. Venema added a hardening step to make sure the compiler optimizer won't delete the memset() call in myfree() that wipes memory.

Keep in mind that the legacy releases for branches 3.5 through 3.7 skip the patches for the June 2026 large SMTP inputs, TLSA parsing, and SMTP smuggling advisories. You'll need to apply those older patches separately if you are still running those older branches. The 3.8 through 3.11 lines get a complete fix.

"When I implemented Postfix, I knew that there were going to be mistakes," Venema wrote in the announcement. "That is the reason why Postfix has its architecture and safety nets." The design philosophy hasn't changed. Network-facing programs stay isolated in their own processes, external input never touches a shell, and queue files are treated as untrusted until they pass through a filter. It is an older security model, but it has held up remarkably well across roughly 2.5 million deployments worldwide.

If you run Postfix and haven't applied the latest patch, that's exactly the window this hits. You can grab the updated source for 3.11.5, 3.10.12, 3.9.13, 3.8.19, 3.7.21, 3.6.19, and 3.5.26 from the mirrors listed at postfix.org. The unstable branch 3.12-20260706 already includes all the same fixes for anyone who wants to test ahead of the next stable cycle. Head here to the official announcement for the full advisory and changelog.