[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: [pfx] SMTP smuggling in Postfix
From: John D'Orazio via Postfix-users <postfix-users () postfix ! org>
Date: 2023-12-20 21:25:28
Message-ID: CAKQvm3nyEqAx-VnwTxQgcX2b9eWGvvPyLYnBCbKW15+a=5g0wQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I was directed to this thread from the dev mailing list. Seeing I'm using
Postfix 3.4.13 on a server of mine that has an OS of Ubuntu 20.04, I'm
guessing I don't have access to this smtpd restriction. I have however
started implementing amavis as spam detection, which does use -o
smtpd_data_restrictions=reject_unauth_pipelining. Should this be enough?
Would this have the same effect?
> - Postfix 3.9 (pending official release soon), rejects unauthorised
> pipelining by default: "smtpd_forbid_unauth_pipelining = yes".
>
> - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
> code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining"
> parameter defaults to "no".
>
> This default avoids breaking compatibility in a patch to stable
> release, in case some fax-to-email machine, or other minimally
> conformant device performs illegal pipeling.
>
> However, for most users it is IMHO prudent to override the default to
> "yes" in their configuration, after ensuring that that this is
> compatible with their mail flows.
[Attachment #5 (text/html)]
<div dir="ltr"><div>I was directed to this thread from the dev mailing list. Seeing \
I'm using Postfix 3.4.13 on a server of mine that has an OS of Ubuntu 20.04, \
I'm guessing I don't have access to this smtpd restriction. I have however \
started implementing amavis as spam detection, which does use <font \
face="monospace">-o smtpd_data_restrictions=reject_unauth_pipelining</font>. Should \
this be enough? Would this have the same effect?</div><br><div><pre \
style="font-family:courier,"courier \
new",monospace;font-size:14px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">> \
- Postfix 3.9 (pending official release soon), rejects unauthorised</pre><pre \
style="font-family:courier,"courier \
new",monospace;font-size:14px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">> \
pipelining by default: "smtpd_forbid_unauth_pipelining = yes".</pre><pre \
style="font-family:courier,"courier \
new",monospace;font-size:14px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">>
> - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
> code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining"
> parameter defaults to "no".
>
> This default avoids breaking compatibility in a patch to stable
> release, in case some fax-to-email machine, or other minimally
> conformant device performs illegal pipeling.
>
> However, for most users it is IMHO prudent to override the default to
> "yes" in their configuration, after ensuring that that this is
> compatible with their mail flows.
</pre><br class="gmail-Apple-interchange-newline"></div></div>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-leave@postfix.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic