[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.8.4.html]
Fixed with Postfix 3.8.4:
* Security: this release adds support to defend
against an email spoofing attack (SMTP smuggling) on
recipients at a Postfix server. For background, see
https://www.postfix.org/smtp-smuggling.html.
Sites concerned about SMTP smuggling attacks should enable this
feature on Internet-facing Postfix servers. For compatibility
with non-standard clients, Postfix by default excludes clients
in mynetworks from this countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.
You can find the updated Postfix source code at the mirrors listed at
https://www.postfix.org/.
Wietse
_______________________________________________
Postfix-announce mailing list -- postfix-announce@postfix.org
To unsubscribe send an email to postfix-announce-le...@postfix.org
