* [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults
@ 2024-02-12 20:59 Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 20:59 UTC (permalink / raw)
To: pmg-devel
The following patchset should not be security relevant - the mitigation
for smtp-smuggling that was in place with pmg-api 8.0.11 still works,
following upstreams write-up [0].
It aims at getting the config in line with the latest upstream release's
default value.
As is I'm inclined not to carry this change over to PMG 7 primarily
because it is not a security-relevant change, secondarily because it might
be more visible for users when they do the upgrade to the next major
version.
Tested both internal and external ports on a test-installation of mine
[0] https://www.postfix.org/smtp-smuggling.html
Stoiko Ivanov (2):
templates: postfix: adapt to current default setting for smtpsmuggling
d/control: bump versioned dependency for postfix
debian/control | 2 +-
src/templates/main.cf.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
@ 2024-02-12 20:59 ` Stoiko Ivanov
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 20:59 UTC (permalink / raw)
To: pmg-devel
postfix recently released new versions (for all supported stable
versions including 3.7.10), which changed the behavior regarding bare
newlines (which originally caused smtp-smuggling [0]).
Instead of directly rejecting smtp sessions when <LF> is used as
command separator, the session continues, however a bare <LF> is not
recognized as end for the DATA command.
The current setting of `smtpd_forbid_bare_newline = yes` (in 3.7.9)
used to behave like the new setting of 'reject'. In 3.7.10 this was
changed and it behaves like `smtpd_forbid_bare_newline = normalize`
(the default for postfix > 3.9)
The current patch simply adapts to the current default naming (yes is
an alias for normalize) - The change in behavior came with the postfix
update shipped in proposed-updates end of January and part of Debian
12.5 (released on 10.02.2024).
As both versions mitigate smtp-smuggling in postfix, and even the more
drastic behavior of rejecting bare <LF> did not cause any problems in
our support-channels and own deployments the patch is not
security-relevant.
[0] https://www.postfix.org/smtp-smuggling.html
[1] https://metadata.ftp-master.debian.org/changelogs//main/p/postfix/postfix_3.7.10-0+deb12u1_changelog
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/templates/main.cf.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/templates/main.cf.in b/src/templates/main.cf.in
index 3b56355..e686884 100644
--- a/src/templates/main.cf.in
+++ b/src/templates/main.cf.in
@@ -101,7 +101,7 @@ unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
smtpd_data_restrictions = reject_unauth_pipelining
-smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions =
$mynetworks,
cidr:/etc/postfix/clientaccess
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
@ 2024-02-12 21:00 ` Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2024-02-12 21:00 UTC (permalink / raw)
To: pmg-devel
While postfix happily ignores completely unknown settings (e.g. if the
config contains settings not present in an older version of postfix),
the allowed values are handled more strict:
```
fatal: bad boolean configuration: smtpd_forbid_bare_newline = normalize
```
is the result of running this configuration on postfix < 3.7.10 (for
bookworm)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
debian/control | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index 1a4a13a..fe20ce8 100644
--- a/debian/control
+++ b/debian/control
@@ -84,7 +84,7 @@ Depends: apt (>= 2~),
pmg-docs,
pmg-gui,
pmg-log-tracker,
- postfix (>= 2.5.5),
+ postfix (>= 3.7.10),
postgresql-15,
proxmox-backup-client (>= 2.2.0),
proxmox-mini-journalreader (>= 1.3-1),
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
@ 2024-02-23 17:00 ` Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2024-02-23 17:00 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
Am 12/02/2024 um 21:59 schrieb Stoiko Ivanov:
> The following patchset should not be security relevant - the mitigation
> for smtp-smuggling that was in place with pmg-api 8.0.11 still works,
> following upstreams write-up [0].
>
> It aims at getting the config in line with the latest upstream release's
> default value.
>
> As is I'm inclined not to carry this change over to PMG 7 primarily
> because it is not a security-relevant change, secondarily because it might
> be more visible for users when they do the upgrade to the next major
> version.
>
> Tested both internal and external ports on a test-installation of mine
>
> [0] https://www.postfix.org/smtp-smuggling.html
>
> Stoiko Ivanov (2):
> templates: postfix: adapt to current default setting for smtpsmuggling
> d/control: bump versioned dependency for postfix
>
> debian/control | 2 +-
> src/templates/main.cf.in | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
applied series, thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-23 17:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-12 20:59 [pmg-devel] [PATCH pmg-api 0/2] adapt postfix config to newest defaults Stoiko Ivanov
2024-02-12 20:59 ` [pmg-devel] [PATCH pmg-api 1/2] templates: postfix: adapt to current default setting for smtpsmuggling Stoiko Ivanov
2024-02-12 21:00 ` [pmg-devel] [PATCH pmg-api 2/2] d/control: bump versioned dependency for postfix Stoiko Ivanov
2024-02-23 17:00 ` [pmg-devel] applied-series: [PATCH pmg-api 0/2] adapt postfix config to newest defaults Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox