CVE-2003-0540

Postfix <= 1.1.12 - Denial of Service via Malformed Envelope Address

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2003-0540. PoCs published by [email protected], r3b00t.

AI-analyzed exploit summary This exploit targets a denial of service vulnerability in Postfix 1.1.12 and below by sending a malformed envelope address. It connects to the SMTP port and sends a crafted email with a malformed 'MAIL From' field, causing the queue manager to lock up.

Description

The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.

Exploits (2)

exploitdb WORKING POC VERIFIED
by [email protected] · perldoslinux
https://www.exploit-db.com/exploits/22982

This exploit targets a denial of service vulnerability in Postfix 1.1.12 and below by sending a malformed envelope address. It connects to the SMTP port and sends a crafted email with a malformed 'MAIL From' field, causing the queue manager to lock up.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Postfix 1.1.12 and below
No auth needed
Prerequisites: Network access to the SMTP port (25) of the target Postfix server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by r3b00t · cdoslinux
https://www.exploit-db.com/exploits/22981

This exploit demonstrates a denial-of-service (DoS) vulnerability in Postfix up to version 1.1.12 by sending a malformed envelope address, causing the queue manager or SMTP listener to lock up. It establishes an SMTP connection and sends crafted commands to trigger the freeze.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Postfix up to and including 1.1.12
No auth needed
Prerequisites: Network access to the SMTP port (25) of the target Postfix server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000717
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/8333
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/895508
Mailing List vendor-advisory x_refsource_trustix
http://marc.info/?l=bugtraq&m=106029188614704&w=2
Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2003:081
Patch, Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2003-251.html
Patch, Vendor Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-363
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=106001525130257&w=2
Various Sources vendor-advisory x_refsource_engarde
http://www.linuxsecurity.com/advisories/engarde_advisory-3517.html
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2003_033_postfix.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A544
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/9433

Scores

EPSS 0.2126
EPSS Percentile 97.3%

Details

Status published
Products (9)
conectiva/linux 7.0
conectiva/linux 8.0
wietse_venema/postfix 1.0.21
wietse_venema/postfix 1.1.11
wietse_venema/postfix 1.1.12
wietse_venema/postfix 1999-09-06
wietse_venema/postfix 1999-12-31
wietse_venema/postfix 2000-02-28
wietse_venema/postfix 2001-11-15
Published Aug 27, 2003
Tracked Since Feb 18, 2026