As part of a non-responsible disclosure process, SEC Consult has
published an email spoofing attack that involves a composition of
different mail service behaviors with respect to broken line endings.

A short-term fix may deployed now, before the upcoming long holiday:

- Postfix 3.9 (stable release early 2024), rejects unuthorised
  pipelining by default: "smtpd_forbid_unauth_pipelining = yes".

- Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature,
  but the "smtpd_forbid_unauth_pipelining" parameter defaults to

Setting "smtpd_forbid_unauth_pipelining = yes" may break legitimate
SMTP clients that mis-implement SMTP, but such clients are exceedingly
rare, especially when email is sent across the Internet.

This short-term fix will stop the published form of the attack, but
other forms exist that will not be stopped in this manner.

The longer-term fix stops all forms of the smuggling attacks and is
in testing. For most sites, this fix will be too late for deployment
before a long holiday break, when typically production changes are
not allowed until January.

Dec 18 SEC Consult publishes an attack (composition of mail service behaviors)
Dec 19 Implement fix for Postfix, start testing and Q/A
Dec ?? Publish updated stable Postfix versions 3.8, 3.7, 3.6, 3.5
Dec 23 First day of a 10+ day holiday break and production freeze


Postfix-users mailing list --
To unsubscribe send an email to

Reply via email to