'Re: [oss-security] Re: Postfix updated SMTP smuggling countermeasure'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: Postfix updated SMTP smuggling countermeasure
From:       Alexander Burke <alex () alexburke ! ca>
Date:       2024-01-23 20:31:58
Message-ID: 042cbc7a-a82c-4997-ac56-5ce93169dcdb () alexburke ! ca
[Download RAW message or body]

My first experience with Postfix was installing and running it on Red Hat 5 (or maybe it was 6) in 1998 or 1999; it just seemed like the best choice at the time.

It looks like not much has changed in the intervening... wow, 25 years.

Thanks for everything, Wietse. Damn fine work.
----------------------------------------

Jan 23, 2024 18:53:10 Wietse Venema <wietse@porcupine.org>:

> Solar Designer:
>> If I'm reading this right, the initial implementation of Postfix
>> smtpd_forbid_bare_newline disallowed bare LF not only at the end of
>> DATA, but also elsewhere in the SMTP session.   This is now relaxed in
>> the recommended "smtpd_forbid_bare_newline = normalize" mode to apply
>> only to the end of DATA, while allowing bare LFs elsewhere.   This is
>> sufficient to prevent the attack while having better compatibility with
>> existing SMTP clients.
> 
> Indeed. The "reject all bare LF" option remains available for sites
> that are less concerned about breaking changes.
> 
>        Wietse
> 
>> ----- Forwarded message from Wietse Venema via Postfix-announce <postfix-announce@postfix.org> -----
>> 
>> To: Postfix announce <postfix-announce@postfix.org>
>> Date: Mon, 22 Jan 2024 09:01:59 -0500 (EST)
>> Subject: [pfx-ann] Postfix stable release 3.8.5, 3.7.10, 3.6.14, 3.5.24
>> From: Wietse Venema via Postfix-announce <postfix-announce@postfix.org>
>> Reply-To: Wietse Venema <wietse@porcupine.org>
>> 
>> [An on-line version of this announcement will be available at
>> https://www.postfix.org/announcements/postfix-3.8.5.html]
>> 
>> [Fixes for Postfix versions < 3.5 will be announced at
>> https://www.postfix.org/smtp-smuggling.html]
>> 
>> Postfix stable release 3.8.5, 3.7.10, 3.6.14, 3.5.24
>> 
>> Security: this release improves support to defend against an email
>> spoofing attack (SMTP smuggling) on recipients at a Postfix server. For
>> background, see https://www.postfix.org/smtp-smuggling.html.
>> 
>> The improvements provide better logging, and better compatibility with
>> existing SMTP clients (less need to allowlist clients).
>> 
>> Sites concerned about SMTP smuggling attacks should enable this feature
>> on Internet-facing Postfix servers. For compatibility with non-standard
>> clients, Postfix by default excludes clients in mynetworks from this
>> countermeasure.
>> 
>> The recommended settings are:
>> 
>>        # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
>>        # Otherwise, allow bare <LF> and process it as if the client sent
>>        # <CR><LF>.
>>        #
>>        # This maintains compatibility with many legitimate SMTP client
>>        # applications that send a mix of standard and non-standard line
>>        # endings, but will fail to receive email from client implementations
>>        # that do not terminate DATA content with the standard End-of-DATA
>>        # sequence <CR><LF>.<CR><LF>.
>>        #
>>        # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
>>        # The example below allowlists SMTP clients in trusted networks.
>>        #
>>        smtpd_forbid_bare_newline = normalize
>>        smtpd_forbid_bare_newline_exclusions = $mynetworks
>> 
>> Notes:
>> 
>>    * The default setting is "smtpd_forbid_bare_newline = no" in Postfix
>>        releases < 3.9, for compatibility reasons. This means that Postfix
>>        is by default vulnerable to SMTP smuggling.
>> 
>>    * The new setting "smtpd_forbid_bare_newline = normalize" is the
>>        default for Postfix releases 3.9 and later.
>> 
>>    * The old setting "smtpd_forbid_bare_newline = yes" is now an alias for
>>        "smtpd_forbid_bare_newline = normalize".
>> 
>>    * The new setting "smtpd_forbid_bare_newline = reject" will refuse
>>        commands or message content with a bare newline. For details see
>>        the RELEASE_NOTES or the postconf(5) documentation.
>> 
>> You can find the updated Postfix source code at the mirrors listed
>> at https://www.postfix.org/.
>> 
>>        Wietse
>> _______________________________________________
>> Postfix-announce mailing list -- postfix-announce@postfix.org
>> To unsubscribe send an email to postfix-announce-leave@postfix.org
>> 
>> ----- End forwarded message -----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic