Opened 4 months ago
Closed 4 months ago
#19049 closed enhancement (fixed)
postfix-3.8.4
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (8)
comment:1 by , 4 months ago
| Priority: | normal → high |
|---|---|
| Summary: | postfix-3.8.5 → postfix-3.8.4 |
comment:2 by , 4 months ago
- Security: this release adds support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html.
- Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.
comment:3 by , 4 months ago
Using the current instructions in the book:
19.2 Elapsed Time - postfix-3.8.4 md5sum : f2e5ac23387a5824bc365675697277e9 /usr/src/postfix/postfix-3.8.4.tar.gz 4752 /usr/src/postfix/postfix-3.8.4.tar.gz SIZE (4.640 MB) 158156 kilobytes BUILD SIZE (154.449 MB) SBU=.204 hostname: pippin121 BFLAGS=-j4
comment:4 by , 4 months ago
Thank you, can you confirm it works as expected? If it does I'll put it in the book, I have no good way to test it.
comment:5 by , 4 months ago
Looking into it a bit further, this update will involve an update to the book's default configuration. We're going to need those "smtpd_forbid_bare_newline=yes" and "smtpd_forbid_bare_new_line_exclusions = $mynetworks" lines added to the configuration to be protected from this vulnerability
comment:6 by , 4 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:7 by , 4 months ago
My understanding is that this change is only important for public-facing mail servers. For other uses (e.g. my own sending to local network, or using SASL to send to an ISP) it should make no functional difference. In my own case I use getmail to receive from my ISP.
There are similar changes in 3.7.9, 3.6.13 and 3.5.23 if anyone with a public-facing postfix server is using one of those series.
When 3.9.0 is released, I think I heard that these new settings will become default.
Discussed at the end of last week on oss-security, separate CVEs issued for postfix, sendmail and exim (CVE-2023-5176{4,5,6}.
comment:8 by , 4 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at d524862aa9a04419c3223592a863092ff19cf5d6
SA-12.0-067 has been issued, with mentions about new point versions for prior minor versions of Postfix. The advisory also mentions the required configuration changes
From the Postfix website:
Check out https://www.postfix.org/smtp-smuggling.html for more details, but the gist is that there's a zero-day attack out there that allows for a spoofing attack. All installations of Postfix, as well as Sendmail and Exim are impacted.
I've looked upstream at both Sendmail and Exim and both look as if they are working towards a solution.
For public facing servers, administrators will need to add:
To their /etc/postfix/main.cf configuration files after updating Postfix. $mynetworks can be set with defaults next time Postfix is started (see https://www.postfix.org/postconf.5.html#mynetworks )
Note that this attack also bypasses SPF and DMARC validation.
I don't currently have a system with Postfix, all of mine either use Sendmail or Exim, so I can't do this one (but can do sendmail/exim when those become available)