Wietse Venema via Postfix-users:
> As part of a non-responsible disclosure process, SEC Consult has
> published an email spoofing attack that involves a composition of
> different mail service behaviors with respect to broken line endings.
Also on-line at httpps://www.postfix.org/smtp-smuggling.html
Wietse
> A short-term fix may deployed now, before the upcoming long holiday:
>
> - Postfix 3.9 (stable release early 2024), rejects unuthorised
> pipelining by default: "smtpd_forbid_unauth_pipelining = yes".
>
> - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature,
> but the "smtpd_forbid_unauth_pipelining" parameter defaults to
> "no".
>
> Setting "smtpd_forbid_unauth_pipelining = yes" may break legitimate
> SMTP clients that mis-implement SMTP, but such clients are exceedingly
> rare, especially when email is sent across the Internet.
>
> This short-term fix will stop the published form of the attack, but
> other forms exist that will not be stopped in this manner.
>
> The longer-term fix stops all forms of the smuggling attacks and is
> in testing. For most sites, this fix will be too late for deployment
> before a long holiday break, when typically production changes are
> not allowed until January.
>
> Timeline:
> Dec 18 SEC Consult publishes an attack (composition of mail service behaviors)
> Dec 19 Implement fix for Postfix, start testing and Q/A
> Dec ?? Publish updated stable Postfix versions 3.8, 3.7, 3.6, 3.5
> Dec 23 First day of a 10+ day holiday break and production freeze
>
> References:
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
>
> Wietse
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
