* [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults
@ 2024-02-12 20:59 Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 20:59 UTC (permalink / raw)
To: pmg-devel
The following patchset should not be security relevant - the mitigation
for smtp-smuggling that was in place with pmg-api 8.0.11 still works,
following upstreams write-up [0].
It aims at getting the config in line with the latest upstream release's
default value.
As is I'm inclined not to carry this change over to PMG 7 primarily
because it is not a security-relevant change, secondarily because it might
be more visible for users when they do the upgrade to the next major
version.
Tested both internal and external ports on a test-installation of mine
[0] https://www.postfix.org/smtp-smuggling.html
Stoiko Ivanov (2):
templates: postfix: adapt to current default setting for smtpsmuggling
d/control: bump versioned dependency for postfix
debian/control | 2 +-
src/templates/main.cf.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
@ 2024-02-12 20:59 ` Stoiko Ivanov
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 20:59 UTC (permalink / raw)
To: pmg-devel
postfix recently released new versions (for all supported stable
versions including 3.7.10), which changed the behavior regarding bare
newlines (which originally caused smtp-smuggling [0]).
Instead of directly rejecting smtp sessions when <LF> is used as
command separator, the session continues, however a bare <LF> is not
recognized as end for the DATA command.
The current setting of `smtpd_forbid_bare_newline = yes` (in 3.7.9)
used to behave like the new setting of 'reject'. In 3.7.10 this was
changed and it behaves like `smtpd_forbid_bare_newline = normalize`
(the default for postfix > 3.9)
The current patch simply adapts to the current default naming (yes is
an alias for normalize) - The change in behavior came with the postfix
update shipped in proposed-updates end of January and part of Debian
12.5 (released on 10.02.2024).
As both versions mitigate smtp-smuggling in postfix, and even the more
drastic behavior of rejecting bare <LF> did not cause any problems in
our support-channels and own deployments the patch is not
security-relevant.
[0] https://www.postfix.org/smtp-smuggling.html
[1] https://metadata.ftp-master.debian.org/changelogs//main/p/postfix/postfix_3.7.10-0+deb12u1_changelog
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/templates/main.cf.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/templates/main.cf.in b/src/templates/main.cf.in
index 3b56355..e686884 100644
--- a/src/templates/main.cf.in
+++ b/src/templates/main.cf.in
@@ -101,7 +101,7 @@ unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
smtpd_data_restrictions = reject_unauth_pipelining
-smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions =
$mynetworks,
cidr:/etc/postfix/clientaccess
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
@ 2024-02-12 21:00 ` Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 21:00 UTC (permalink / raw)
To: pmg-devel
While postfix happily ignores completely unknown settings (e.g. if the
config contains settings not present in an older version of postfix),
the allowed values are handled more strict:
```
fatal: bad boolean configuration: smtpd_forbid_bare_newline = normalize
```
is the result of running this configuration on postfix < 3.7.10 (for
bookworm)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
debian/control | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index 1a4a13a..fe20ce8 100644
--- a/debian/control
+++ b/debian/control
@@ -84,7 +84,7 @@ Depends: apt (>= 2~),
pmg-docs,
pmg-gui,
pmg-log-tracker,
- postfix (>= 2.5.5),
+ postfix (>= 3.7.10),
postgresql-15,
proxmox-backup-client (>= 2.2.0),
proxmox-mini-journalreader (>= 1.3-1),
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
@ 2024-02-23 17:00 ` Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2024-02-23 17:00 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
Am 12/02/2024 um 21:59 schrieb Stoiko Ivanov:
> The following patchset should not be security relevant - the mitigation
> for smtp-smuggling that was in place with pmg-api 8.0.11 still works,
> following upstreams write-up [0].
>
> It aims at getting the config in line with the latest upstream release's
> default value.
>
> As is I'm inclined not to carry this change over to PMG 7 primarily
> because it is not a security-relevant change, secondarily because it might
> be more visible for users when they do the upgrade to the next major
> version.
>
> Tested both internal and external ports on a test-installation of mine
>
> [0] https://www.postfix.org/smtp-smuggling.html
>
> Stoiko Ivanov (2):
> templates: postfix: adapt to current default setting for smtpsmuggling
> d/control: bump versioned dependency for postfix
>
> debian/control | 2 +-
> src/templates/main.cf.in | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
applied series, thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-23 17:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal