From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling
Date: Mon, 12 Feb 2024 21:59:59 +0100 [thread overview]
Message-ID: <20240212210000.32989-2-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20240212210000.32989-1-s.ivanov@proxmox.com>
postfix recently released new versions (for all supported stable
versions including 3.7.10), which changed the behavior regarding bare
newlines (which originally caused smtp-smuggling [0]).
Instead of directly rejecting smtp sessions when <LF> is used as
command separator, the session continues, however a bare <LF> is not
recognized as end for the DATA command.
The current setting of `smtpd_forbid_bare_newline = yes` (in 3.7.9)
used to behave like the new setting of 'reject'. In 3.7.10 this was
changed and it behaves like `smtpd_forbid_bare_newline = normalize`
(the default for postfix > 3.9)
The current patch simply adapts to the current default naming (yes is
an alias for normalize) - The change in behavior came with the postfix
update shipped in proposed-updates end of January and part of Debian
12.5 (released on 10.02.2024).
As both versions mitigate smtp-smuggling in postfix, and even the more
drastic behavior of rejecting bare <LF> did not cause any problems in
our support-channels and own deployments the patch is not
security-relevant.
[0] https://www.postfix.org/smtp-smuggling.html
[1] https://metadata.ftp-master.debian.org/changelogs//main/p/postfix/postfix_3.7.10-0+deb12u1_changelog
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/templates/main.cf.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/templates/main.cf.in b/src/templates/main.cf.in
index 3b56355..e686884 100644
--- a/src/templates/main.cf.in
+++ b/src/templates/main.cf.in
@@ -101,7 +101,7 @@ unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
smtpd_data_restrictions = reject_unauth_pipelining
-smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions =
$mynetworks,
cidr:/etc/postfix/clientaccess
--
2.39.2
next prev parent reply other threads:[~2024-02-12 21:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` Stoiko Ivanov [this message]
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240212210000.32989-2-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.