[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.8.5.html]
[Fixes for Postfix versions < 3.5 will be announced at https://www.postfix.org/smtp-smuggling.html] Postfix stable release 3.8.5, 3.7.10, 3.6.14, 3.5.24 Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html. The improvements provide better logging, and better compatibility with existing SMTP clients (less need to allowlist clients). Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure. The recommended settings are: # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. # Otherwise, allow bare <LF> and process it as if the client sent # <CR><LF>. # # This maintains compatibility with many legitimate SMTP client # applications that send a mix of standard and non-standard line # endings, but will fail to receive email from client implementations # that do not terminate DATA content with the standard End-of-DATA # sequence <CR><LF>.<CR><LF>. # # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. # The example below allowlists SMTP clients in trusted networks. # smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks Notes: * The default setting is "smtpd_forbid_bare_newline = no" in Postfix releases < 3.9, for compatibility reasons. This means that Postfix is by default vulnerable to SMTP smuggling. * The new setting "smtpd_forbid_bare_newline = normalize" is the default for Postfix releases 3.9 and later. * The old setting "smtpd_forbid_bare_newline = yes" is now an alias for "smtpd_forbid_bare_newline = normalize". * The new setting "smtpd_forbid_bare_newline = reject" will refuse commands or message content with a bare newline. For details see the RELEASE_NOTES or the postconf(5) documentation. You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/. Wietse _______________________________________________ Postfix-announce mailing list -- postfix-announce@postfix.org To unsubscribe send an email to postfix-announce-le...@postfix.org
