This might call for a backport of the 2.0.6 upgrades from -current into
the -rnetbsd-1-6 branch:

http://cvsweb.netbsd.org/bsdweb.cgi/src/gnu/usr.sbin/postfix/Makefile

http://www.securityfocus.com/archive/1/331713/2003-08-01/2003-08-07/0

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0540

However I havn't seen a proof-of-concept documented.  I'm going to test
it now.

-lava

-----Forwarded Message-----

Security Advisory - RHSA-2003:251-07
------------------------------------------------------------------------------
Summary:
New postfix packages fix security issues.

New Postfix packages that fix two potential security issues are now available.

Description:
Postfix is a Mail Transport Agent (MTA).

Two security issues have been found in Postfix that affect the Postfix
packages in Red Hat Linux 7.3, 8.0, and 9. 

Postfix versions before 1.1.12 allow an attacker to bounce-scan private
networks, or use the daemon as a DDoS tool by forcing the daemon to connect
to an arbitrary service at an arbitrary IP address and receiving either a
bounce message or by analyzing timing.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0468 to
this issue.

Postfix versions from 1.1 up to and including 1.1.12 have a bug where a
remote attacker could send a malformed envelope address and:

1) cause the queue manager to lock up until an entry is removed from the
queue or,

2) lock up the SMTP listener, leading to a DoS.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0540 to this issue.

Users of Postfix are advised to upgrade to these erratum packages, which
contain a version of Postfix 1.1.12 with the addition of a security patch
and is not vulnerable to either of these issues.

Red Hat would like to thank Michal Zalewski for discovering and disclosing
the flaws and to Wietse Venema for providing patches.
[...snip...]