[A longer and updated version of this text may be found at https://www.postfix.org/smtp-smuggling.html]
SUMMARY As part of a non-responsible disclosure process, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>. DETAILS AND IMPACT See https://www.postfix.org/smtp-smuggling.html SHORT-TERM WORKAROUNDS A short-term workaround can be deployed now, before the upcoming long holiday and associated production change freeze. NOTE: This will stop only the published form of the attack. Other forms exist that will not be stopped in this manner. * With all Postfix versions, "smtpd_data_restrictions = reject_unauth_pipelining" will stop the published exploit. * Postfix 3.9 (stable release expected early 2024), rejects unauthorised pipelining by default: "smtpd_forbid_unauth_pipelining = yes". * Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature, but the "smtpd_forbid_unauth_pipelining" parameter defaults to "no". Compatibility: the setting "smtpd_forbid_unauth_pipelining = yes" or "smtpd_data_restrictions = reject_unauth_pipelining" may break legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare, especially when email is sent across the Internet. LONG-TERM FIX A long-term fix is being validated. This stops all forms of the smuggling attacks. For many sites, this will be ready too late for deployment before a long holiday break, when typically production changes are not allowed until January. TIMELINE * Dec 18 SEC Consult publishes an attack that involves the composition of two different email service behaviors. * Dec 19 Research and implement a fix for Postfix, start testing and Q/A. * Dec 20 Draft this response document at https://www.postfix.org/smtp-smuggling.html. * TBD: Publish updated source code releases for stable Postfix versions 3.8.4, 3.7.9, 3.6.13, 3.5.23. * TBD: OSS distributions publish updated packages for Postfix versions 3.8.4, 3.7.9, 3.6.13, 3.5.23. * Dec 22: last day before a 10+ day holiday break, start of production change freezes until early January. REFERENCES https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ _______________________________________________ Postfix-announce mailing list -- postfix-announce@postfix.org To unsubscribe send an email to postfix-announce-le...@postfix.org
