On Mon, Dec 18, 2023 at 02:48:43PM -0500, Bill Cole via Postfix-users wrote:
> > This research work has now been published by Sec Consult company, see > > link below . > > It is interesting that they seem to be unaware of some SMTP basics, such as > the fact that message bodies, message headers, and the SMTP protocol have > different format rules, defined in different RFCs that are clearly marked as > such. They seem to think that the problem is grounded in legitimate > misunderstanding of imprecise RFCs, when it seems clear to me that there's > one right interpretation. > > That very much ruins my ability to take what they are saying seriously. I > believe they tested against the proprietary systems cited and found the > issue, I find it extremely suspect that they show no examples for Sendmail > or Postfix, merely an assertion. > > > The Postfix issues the researcher mentions, we were not able to actually > > reproduce > > This is unsuprising. - Postfix 3.9 (pending official release soon), rejects unuthorised pipelining by default: "smtpd_forbid_unauth_pipelining = yes". - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining" parameter defaults to "no". This default avoids breaking compatibility in a patch to stable release, in case some fax-to-email machine, or other minimally conformant device performs illegal pipeling. However, for most users it is IMHO prudent to override the default to "yes" in their configuration, after ensuring that that this is compatible with their mail flows. With illegal pipelining blocked by default, the described attempts to inject multiple messages into Postfix as a receiving system will fail. This is because with very high probability any "<LF>.<LF>" will be immediately followed by some part of the rest of the original message content in the same TCP frame, or the next TCP frame in same TCP window. To succeed, the sending TCP would have to exactly fill a TCP window with content up and including the <LF>.<LF>, and would have to be stalled waiting for missing ACKs. As an outbound server, Postfix will never send <LF>.<LF>. Its output will always be RFC-conformant. So any impact falls largely on systems that send illegal bare LF in (non-BDAT) SMTP. It should also be noted that the piggybacked message will not have a matching DKIM signature, and can only succeed via SPF alignment. It may be time to consider ditching SPF. And of course, all that this "attack" achieves is "From:" header "forgery", in cases where the outbound server would normally not allow the submission client to use a "From:" header of their choice. My personal view is that phishing attacks largely rely on distracting the user with flashy message content that draws attention away from any "From:" header that suggest the message is not "authentic". None of the fake "Geek Squad" bills I receive on a steady basis actually have a related domain in "From:". They work to defraud some of their marks by presending artfully constructed content with all the right logos that looks like a plausible "Geek Squad" bill. So I don't see much point for phishers to try to achieve "From:" alignment when they can simply not bother. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org