Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),and TLS.It was discovered that Postfix did not flush the received SMTP commandsbuffer after switching to TLS encryption for an SMTP session. Aman-in-the-middle attacker could use this flaw to inject SMTP commands intoa victim's session during the plain text phase. This would lead to thosecommands being processed by Postfix after TLS encryption is enabled,possibly allowing the attacker to steal the victim's mail or authenticationcredentials. (CVE-2011-0411)Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411. TheCERT/CC acknowledges Wietse Venema as the original reporter.Users of Postfix are advised to upgrade to these updated packages, whichcontain a backported patch to resolve this issue. After installing thisupdate, the postfix service will be restarted automatically.