https://blog.kalfaoglu.net/tags/email/Recent content in Email on kalfaoglu.netHugoenThu, 07 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-07-postfix-3112-cve-2026-43964-en/Thu, 07 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-07-postfix-3112-cve-2026-43964-en/<p>On May 4, 2026, Wietse Venema released Postfix 3.11.2, 3.10.9, 3.9.10, and 3.8.16. If you run a mail server, this is the update you actually want to read — not because the CVSS score is alarming (it isn&rsquo;t), but because one of the bugs patched in this release has been sitting in the codebase since 2005.</p> <h2 id="the-cve-worth-knowing-about">The CVE Worth Knowing About</h2> <p><a href="https://cve.threatint.eu/CVE/CVE-2026-43964">CVE-2026-43964</a> is an off-by-one error in how Postfix handles enhanced status codes. If an SMTP access table, policy server, DNSBL response, or milter returns a bare status code — something like <code>5.7.2</code> without any text following it — the daemon reads past the end of the allocated buffer. The result is a process crash.</p>https://blog.kalfaoglu.net/posts/2026-05-04-dovecot-security-advisory-en/Mon, 04 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-04-dovecot-security-advisory-en/<p>In late March, the Dovecot team published advisory <a href="https://seclists.org/fulldisclosure/2026/Mar/13">OXDC-ADV-2026-0001</a> — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention.</p> <p>Here is a breakdown of what matters, in roughly descending order of alarm.</p> <h2 id="the-serious-ones">The Serious Ones</h2> <p><strong>CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH)</strong></p>