all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api] templates: postfix: forbid_bare_newline on external port
@ 2024-01-02 10:30 Stoiko Ivanov
  2024-01-02 11:08 ` [pmg-devel] applied: " Wolfgang Bumiller
  0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2024-01-02 10:30 UTC (permalink / raw)
  To: pmg-devel

This patch addresses the smtp-smuggling vulnerability [0,1], with the
recommended fix by postfix upstream [2].

Disallowing bare linefeeds instead of crlf should not be a problem
with any standards-compliant MTA.
The internal port allows bare linefeed, since internal clients
(mail-scripts written ages ago, some ancient embedded systems) might
not adhere to the protocol. Additionally the mail-proxy allowlist (the
ip and cidr entries, are the only ones applicable here) is also added
to the global exceptions.

Currently the updated postfix-packages are not published in the
security repositories but only as stable updates [3,4]
However postfix ignores unknown configuration parameters and only
prints a warning to the journal - so the changes to the templates can
already be shipped, for those users who have the stable-updates mirror
enabled.

Tested with the current postfix in bookworm, then updating to the one
in bookworm-updates and running tests with netcat (verified with nc -C
that it still works with the correct line-termination):
```
$ nc -6  pmgtest 25
220 pmgtest.proxmox.com ESMTP Proxmox
EHLO pmgsender.proxmox.com
521 5.5.2 pmgtest.proxmox.com Error: bare <LF> received
```

[0] https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-51764
[2] https://www.postfix.org/smtp-smuggling.html
[3] https://security-tracker.debian.org/tracker/CVE-2023-51764
[4] https://lists.debian.org/debian-stable-announce/2023/12/msg00004.html

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/templates/main.cf.in   | 5 +++++
 src/templates/master.cf.in | 1 +
 2 files changed, 6 insertions(+)

diff --git a/src/templates/main.cf.in b/src/templates/main.cf.in
index c689af3..3b56355 100644
--- a/src/templates/main.cf.in
+++ b/src/templates/main.cf.in
@@ -101,6 +101,11 @@ unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
 
 smtpd_data_restrictions = reject_unauth_pipelining
 
+smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline_exclusions =
+        $mynetworks,
+        cidr:/etc/postfix/clientaccess
+
 smtpd_client_connection_count_limit = [% pmg.mail.conn_count_limit %]
 smtpd_client_connection_rate_limit = [% pmg.mail.conn_rate_limit %]
 smtpd_client_message_rate_limit = [% pmg.mail.message_rate_limit %]
diff --git a/src/templates/master.cf.in b/src/templates/master.cf.in
index 7d60d1d..674767d 100644
--- a/src/templates/master.cf.in
+++ b/src/templates/master.cf.in
@@ -92,6 +92,7 @@ scan      unix  -       -       n       -       [% pmg.mail.max_filters %]
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_data_restrictions=
+  -o smtpd_forbid_bare_newline = no
 
 [% pmg.mail.ext_port %]       inet  n -       -       -       1 postscreen
 
-- 
2.39.2





^ permalink raw reply	[flat|nested] 2+ messages in thread

* [pmg-devel] applied: [PATCH pmg-api] templates: postfix: forbid_bare_newline on external port
  2024-01-02 10:30 [pmg-devel] [PATCH pmg-api] templates: postfix: forbid_bare_newline on external port Stoiko Ivanov
@ 2024-01-02 11:08 ` Wolfgang Bumiller
  0 siblings, 0 replies; 2+ messages in thread
From: Wolfgang Bumiller @ 2024-01-02 11:08 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pmg-devel

applied & bumped, thanks




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-01-02 11:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-02 10:30 [pmg-devel] [PATCH pmg-api] templates: postfix: forbid_bare_newline on external port Stoiko Ivanov
2024-01-02 11:08 ` [pmg-devel] applied: " Wolfgang Bumiller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal