For those wondering about CVE-2011-0411 / VU#555316 status: http://marc.info/?l=postfix-users&m=129952854117623 http://www.kb.cert.org/vuls/id/555316
Amavisd-new is NOT AFFECTED by this vulnerability even when TLS is used ( $tls_security_level_in ). Version 2.6.4 and earlier does not use a stream and does not buffer SMTP data at this level. Switching to TLS replaces the I/O methods. Version 2.7.0(-pre*) does use buffering at the application level of transport, but properly discards any buffered leftovers (pipelining violations) when switching to TLS after a STARTTLS command. Mark
