After the initial SMTP smuggling fix that was published four weeks ago, the plan is to publish an improved version early next week.
- Better compatibility: Postfix can prevent SMTP smuggling without rejecting bare newline characters. This avoids a mail delivery problem with Microsoft Exchange servers. These violate RFC 3030 (BDAT) and RFC 2045 (MIME text) when they send BDAT payloads with bare newline characters in MIME text. https://datatracker.ietf.org/doc/html/rfc3030#section-3 https://datatracker.ietf.org/doc/html/rfc2045#section-2.7 https://datatracker.ietf.org/doc/html/rfc2045#section-2.8 - Better logging: when Postfix is configured to reject bare newline characters, log the queue ID, HELO, MAIL, and RCPT if available. - Avoid false positives: some "smuggling" test tools send fake End-of-DATA sequences that real MTAs cannot send. https://www.postfix.org/false-smuggling-claims.html A preview of the code is in the unstable releases postfix-20240112 and postfix-20240116 (these contain the same code, but differ in documentation which remains work in progres). https://www.postfix.org/download.html Wietse _______________________________________________ Postfix-announce mailing list -- postfix-announce@postfix.org To unsubscribe send an email to postfix-announce-le...@postfix.org
