public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults
@ 2024-02-12 20:59 Stoiko Ivanov
  2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 20:59 UTC (permalink / raw)
  To: pmg-devel

The following patchset should not be security relevant - the mitigation
for smtp-smuggling that was in place with pmg-api 8.0.11 still works,
following upstreams write-up [0].

It aims at getting the config in line with the latest upstream release's
default value.

As is I'm inclined not to carry this change over to PMG 7 primarily
because it is not a security-relevant change, secondarily because it might
be more visible for users when they do the upgrade to the next major
version.

Tested both internal and external ports on a test-installation of mine

[0] https://www.postfix.org/smtp-smuggling.html

Stoiko Ivanov (2):
  templates: postfix: adapt to current default setting for smtpsmuggling
  d/control: bump versioned dependency for postfix

 debian/control           | 2 +-
 src/templates/main.cf.in | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

-- 
2.39.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling
  2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
@ 2024-02-12 20:59 ` Stoiko Ivanov
  2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
  2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 20:59 UTC (permalink / raw)
  To: pmg-devel

postfix recently released new versions (for all supported stable
versions including 3.7.10), which changed the behavior regarding bare
newlines (which originally caused smtp-smuggling [0]).

Instead of directly rejecting smtp sessions when <LF> is used as
command separator, the session continues, however a bare <LF> is not
recognized as end for the DATA command.

The current setting of `smtpd_forbid_bare_newline = yes` (in 3.7.9)
used to behave like the new setting of 'reject'. In 3.7.10 this was
changed and it behaves like `smtpd_forbid_bare_newline = normalize`
(the default for postfix > 3.9)

The current patch simply adapts to the current default naming (yes is
an alias for normalize) - The change in behavior came with the postfix
update shipped in proposed-updates end of January and part of Debian
12.5 (released on 10.02.2024).

As both versions mitigate smtp-smuggling in postfix, and even the more
drastic behavior of rejecting bare <LF> did not cause any problems in
our support-channels and own deployments the patch is not
security-relevant.

[0] https://www.postfix.org/smtp-smuggling.html
[1] https://metadata.ftp-master.debian.org/changelogs//main/p/postfix/postfix_3.7.10-0+deb12u1_changelog

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/templates/main.cf.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/templates/main.cf.in b/src/templates/main.cf.in
index 3b56355..e686884 100644
--- a/src/templates/main.cf.in
+++ b/src/templates/main.cf.in
@@ -101,7 +101,7 @@ unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
 
 smtpd_data_restrictions = reject_unauth_pipelining
 
-smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions =
         $mynetworks,
         cidr:/etc/postfix/clientaccess
-- 
2.39.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix
  2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
  2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
@ 2024-02-12 21:00 ` Stoiko Ivanov
  2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 21:00 UTC (permalink / raw)
  To: pmg-devel

While postfix happily ignores completely unknown settings (e.g. if the
config contains settings not present in an older version of postfix),
the allowed values are handled more strict:
```
fatal: bad boolean configuration: smtpd_forbid_bare_newline = normalize
```
is the result of running this configuration on postfix < 3.7.10 (for
bookworm)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 debian/control | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 1a4a13a..fe20ce8 100644
--- a/debian/control
+++ b/debian/control
@@ -84,7 +84,7 @@ Depends: apt (>= 2~),
          pmg-docs,
          pmg-gui,
          pmg-log-tracker,
-         postfix (>= 2.5.5),
+         postfix (>= 3.7.10),
          postgresql-15,
          proxmox-backup-client (>= 2.2.0),
          proxmox-mini-journalreader (>= 1.3-1),
-- 
2.39.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults
  2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
  2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
  2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
@ 2024-02-23 17:00 ` Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2024-02-23 17:00 UTC (permalink / raw)
  To: Stoiko Ivanov, pmg-devel

Am 12/02/2024 um 21:59 schrieb Stoiko Ivanov:
> The following patchset should not be security relevant - the mitigation
> for smtp-smuggling that was in place with pmg-api 8.0.11 still works,
> following upstreams write-up [0].
> 
> It aims at getting the config in line with the latest upstream release's
> default value.
> 
> As is I'm inclined not to carry this change over to PMG 7 primarily
> because it is not a security-relevant change, secondarily because it might
> be more visible for users when they do the upgrade to the next major
> version.
> 
> Tested both internal and external ports on a test-installation of mine
> 
> [0] https://www.postfix.org/smtp-smuggling.html
> 
> Stoiko Ivanov (2):
>   templates: postfix: adapt to current default setting for smtpsmuggling
>   d/control: bump versioned dependency for postfix
> 
>  debian/control           | 2 +-
>  src/templates/main.cf.in | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 


applied series, thanks!




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-02-23 17:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal