Robustness: the Postfix SMTP server will no longer receive
	(and discard) an unlimited amount of text while receiving
	a long SMTP command line. Problem introduced: Postfix 2.9,
	date: 20110205; reported by Michael Wollner (Ibonok). Under
	high load conditions, the amount of text was already limited
	by a 10-second deadline to receive an SMTP command.

	Robustness: with the above change the Postfix SMTP client
	will no longer receive (and discard) an unlimited amount
	of text while receiving a long SMTP response line.

        Impact statement: 
        =================

	Postfix should not receive and discard unlimited amounts
	of input in SMTP commands, but fixing that will not
	fundamentally change the situation.

	By design, any SMTP client can force a server to receive
	(and discard) an unlimited amount of text.

	For example, an attacker can repeatedly send messages that
	are a little under the server's message size limit and abort
	each transaction a before reaching the message end. When
	sending a message with the "DATA" command, an attacker would
	disconnect instead of sending <CR><LF>.<CR><LF>; and when
	sending a message with the "BDAT" command, an attacker would
	send "RSET" instead of "BDAT LAST".

        To mitigate such abuse, Postfix can rate-limit the number
        of message transactions from the same IP address or address
        range (see smtpd_client_message_rate_limit and *prefix_length
        parameters). Such a defense is ineffective when faced with
        a distributed attack (botnet); for that, postscreen combined
        with an IP reputation service (DNSBL) may be more effective.

diff '--exclude=man' '--exclude=html' '--exclude=README_FILES' '--exclude=INSTALL' --no-dereference -r -ur --new-file /var/tmp/postfix-2.9.15/src/global/smtp_stream.c ./src/global/smtp_stream.c
--- /var/tmp/postfix-2.9.15/src/global/smtp_stream.c	2012-01-14 19:40:22.000000000 -0500
+++ ./src/global/smtp_stream.c	2026-06-15 16:06:55.123829879 -0400
@@ -365,7 +365,12 @@
 	&& vstream_feof(stream) == 0 && vstream_ferror(stream) == 0)
 	while ((next_char = VSTREAM_GETC(stream)) != VSTREAM_EOF
 	       && next_char != '\n')
-	     /* void */ ;
+	    if (--bound <= 0) {
+		msg_warn("disabling input from %s", VSTREAM_PATH(stream));
+		vstream_fpurge(stream, VSTREAM_PURGE_READ);
+		shutdown(vstream_fileno(stream), SHUT_RD);
+		break;
+	    }
 
     /*
      * EOF is bad, whether or not it happens in the middle of a record. Don't