'[pfx] SMTP smuggling in Postfix'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    [pfx] SMTP smuggling in Postfix
From:       John D'Orazio via Postfix-users <postfix-users () postfix ! org>
Date:       2023-12-20 21:25:28
Message-ID: CAKQvm3nyEqAx-VnwTxQgcX2b9eWGvvPyLYnBCbKW15+a=5g0wQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I was directed to this thread from the dev mailing list. Seeing I'm using
Postfix 3.4.13 on a server of mine that has an OS of Ubuntu 20.04, I'm
guessing I don't have access to this smtpd restriction. I have however
started implementing amavis as spam detection, which does use -o
smtpd_data_restrictions=reject_unauth_pipelining. Should this be enough?
Would this have the same effect?

> - Postfix 3.9 (pending official release soon), rejects unauthorised

>   pipelining by default: "smtpd_forbid_unauth_pipelining = yes".

>
> - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
>   code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining"
>   parameter defaults to "no".
>
>  This default avoids breaking compatibility in a patch to stable
>  release, in case some fax-to-email machine, or other minimally
>  conformant device performs illegal pipeling.
>
>  However, for most users it is IMHO prudent to override the default to
>  "yes" in their configuration, after ensuring that that this is
>  compatible with their mail flows.

[Attachment #5 (text/html)]

<div dir="ltr"><div>I was directed to this thread from the dev mailing list. Seeing \
I&#39;m using Postfix 3.4.13 on a server of mine that has an OS of Ubuntu 20.04, \
I&#39;m guessing I don&#39;t have access to this smtpd restriction. I have however \
started implementing amavis as spam detection, which does use  <font \
face="monospace">-o smtpd_data_restrictions=reject_unauth_pipelining</font>. Should \
this be enough? Would this have the same effect?</div><br><div><pre \
style="font-family:courier,&quot;courier \
new&quot;,monospace;font-size:14px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">&gt; \
- Postfix 3.9 (pending official release soon), rejects unauthorised</pre><pre \
style="font-family:courier,&quot;courier \
new&quot;,monospace;font-size:14px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">&gt; \
pipelining by default: &quot;smtpd_forbid_unauth_pipelining = yes&quot;.</pre><pre \
style="font-family:courier,&quot;courier \
new&quot;,monospace;font-size:14px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">&gt;
 &gt; - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
&gt;   code as 3.9 snapshots, but the &quot;smtpd_forbid_unauth_pipelining&quot;
&gt;   parameter defaults to &quot;no&quot;.
&gt;
&gt;  This default avoids breaking compatibility in a patch to stable
&gt;  release, in case some fax-to-email machine, or other minimally
&gt;  conformant device performs illegal pipeling.
&gt;
&gt;  However, for most users it is IMHO prudent to override the default to
&gt;  &quot;yes&quot; in their configuration, after ensuring that that this is
&gt;  compatible with their mail flows.
</pre><br class="gmail-Apple-interchange-newline"></div></div>



_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-leave@postfix.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic