Opened 14 months ago
Closed 14 months ago
#19164 closed enhancement (fixed)
postfix-3.8.5
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (3)
comment:1 by , 14 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 14 months ago
comment:3 by , 14 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 26ff6f1c9ab0010461b19a2504f8a43a3266167b
I filed an additional security advisory for this one in case users encounter the issues with some SMTP clients mentioned above. That is SA-12.0-078
Note:
See TracTickets
for help on using tickets.
This looks to be an updated version with an improved version of the fix for the SMTP Smuggling vulnerability (CVE-2023-51674). With this, upstream has also released patches for prior versions of Postfix that are unsupported.
Fixed with Postfix 3.8.5, 3.7.10, 3.6.14, 3.5.24: Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html. The improvements provide better logging, and better compatibility with existing SMTP clients (less need to allowlist clients). Sites concerned about SMTP smuggling attacks should enable this feature on Internet- facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure. The recommended settings are: # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. # Otherwise, allow bare <LF> and process it as if the client sent # <CR><LF>. # # This maintains compatibility with many legitimate SMTP client # applications that send a mix of standard and non-standard line # endings, but will fail to receive email from client implementations # that do not terminate DATA content with the standard End-of-DATA # sequence <CR><LF>.<CR><LF>. # # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. # The example below allowlists SMTP clients in trusted networks. # smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks Notes: The default setting is "smtpd_forbid_bare_newline = no" in Postfix releases < 3.9, for compatibility reasons. This means that Postfix is by default vulnerable to SMTP smuggling. The new setting "smtpd_forbid_bare_newline = normalize" is the default for Postfix releases 3.9 and later. The old setting "smtpd_forbid_bare_newline = yes" is now an alias for "smtpd_forbid_bare_newline = normalize". The new setting "smtpd_forbid_bare_newline = reject" will refuse commands or message content with a bare newline. For details see the RELEASE_NOTES or the postconf(5) documentation.