[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.7.2.html]
This reverts an overly complex change in the postscreen SMTP engine (made during Postfix 3.7 development), and replaces it with much simpler code. The bad change was crashing postscreen on some systems after receiving malformed input (for example, a TLS "hello" message).
Workarounds are at the end of this text.
Under conditions described below, the postscreen program attempted to read through an uninitialized 'const' pointer. The pointer value depended on the compiler type and compiler options, but crucially, it did not depend on network inputs.
The conditions were that 1) postscreen was enabled (not the default), 2) SMTPUTF8 support was enabled (the default), and 3) postscreen received non-UTF8 input, for example, a TLS or RDP (remote desktop) handshake request.
Depending on compiler details, the result of the read operation could be "uninteresting", a combined memory leak and file handle leak, or a postscreen crash with a segmentation violation (signal 11).
The segmentation violation result was observed by Michael Grimm while running Postfix 3.7 and 3.8 on a FreeBSD 13.1 pre-release version, while the result was "uninteresting" with FreeBSD 13.0 (both systems use Clang instead of GCC). The result was also "uninteresting" on Fedora Linux with GCC, and on a few older systems with GCC.
Do nothing. On most systems the result is "uninteresting".
Do nothing. On systems where postscreen does crash, the crashes are rare, harmless, and postscreen restarts immediately when an SMTP client connects. On systems where postscreen does leak a file handle, it will restart when it reaches a resource limit.
Disable postscreen. Follow instructions in https://www.postfix.org/POSTSCREEN_README.html#turnoff.
You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.