[pfx] Steps to replicate SMTP smuggling

[braham--- via Postfix-users]

hey postfix-users,I am trying to replicate the smtp smuggling for my postfix servers to verify the fix. But I am not able to recreate it. Incoming side I am always receiving single mail. I am trying to send a mail with the incorrect END-OF-DATA with a script. Can someone help with the same?Thanks & RegardsBraham Garg ___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

[Gerd Hoerst via Postfix-users]

Hi !

with

mydomain = hoerst.net

myorigin = $mydomain

the email sent via mailx has u...@host.domain.tld as sender address 
again... but this time somehow its DKIM signed at least


Ciao Gerd

Am 15.01.24 um 17:39 schrieb Wietse Venema via Postfix-users:

Viktor Dukhovni via Postfix-users:

On Mon, Jan 15, 2024 at 08:14:13AM +0100, Gerd Hoerst via Postfix-users wrote:


I added

masquerade_domains   
= hoerst.net

to main.cf and mail sent via mailx is sentasu...@domain.tld   and it has also 
both DKIM Signatures inside
(ed25519 and sha256 key)

I don't recommend masquerade_domains, it is better to set the right
domain in the first place.  For incoming mail, masquerade_domains is not
easily compatible with recipient validation.  For just outgoing mail, it
is not so bad, but I prefer canonical_maps instead, and having the right
domain in the first place (correct value of $myorigin, ...)

As Viktor suggested earlier, uise

myorigin = $mydomain

instead of the default (myorigin = $myhostname).

Wietse
___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] ldap + 550 5.1.1

[jungle.hunt--- via Postfix-users]

Mail from root.brezen.example.net is rejected. root's mail should not be masked since it will be sorted by sieve depending on the originating host.

Is /etc/aliases ignored when ldap is in use?

 

Header from offending mail

 

Return-Path: 
Received: by brezen.example.net (Postfix, from userid 0)
    id 0AB262D0008A; Sat, 23 Dec 2023 11:15:21 +0100 (CET)
Subject: SMART error (ErrorCount) detected on host: brezen
To: r...@example.net
User-Agent: mail (GNU Mailutils 3.15)
Date: Sat, 23 Dec 2023 11:15:21 +0100
Message-Id: <20231223101529.0ab262d00...@brezen.example.net>
From: root 
MIME-Version: 1.0

 

excerpt from the error mail:

 

 (expanded from ): host
    creampuff.example.net[fd00::11] said: 550 5.1.1
    : Recipient address rejected: User unknown in
    virtual mailbox table (in reply to RCPT TO command)

 

excerpt from /etc/aliases

# Person who should get root's mail
root:   fed...@example.net


# cat main.cf
alias_maps = hash:/etc/aliases
compatibility_level = 3.6
delay_warning_time = 24h
disable_vrfy_command = yes
masquerade_domains = $mydomain
masquerade_exceptions = root
message_size_limit = 33554432
milter_default_action = accept
mydestination = $myhostname creampuff creampuff.example.net brezen.example.net
myhostname = mail.example.net
mynetworks = 127.0.0.0/8 10.0.0.0/24 [::1]/128 [fd00::]/16 [fe80::]/16
relayhost = [host.mail-provider.com]:465
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/password
smtp_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/example+CA.crt
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
smtp_use_tls = yes
smtpd_milters = inet:localhost:11332
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_cert_file = /etc/ssl/certs/creampuff.crt
smtpd_tls_key_file = /etc/ssl/private/creampuff.key
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
tls_ssl_options = NO_RENEGOTIATION
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap/virtual-alias-maps.cf
virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix repo

[Scott Kitterman via Postfix-users]

On January 16, 2024 3:11:37 AM UTC, Peter via Postfix-users 
 wrote:
>On 12/01/24 04:08, Wietse Venema via Postfix-users wrote:
>> Viktor Dukhovni via Postfix-users:
>>> On Thu, Jan 11, 2024 at 03:53:35PM +0100, natan via Postfix-users wrote:
 Hi Wietse Have you thought about postfix repo for Debian, just like dovecot
 has for his relase ?
 
>>> 
>>> What is a "Postfix repo for Debian"?  Do you mean binary release
>>> packages?  What's wrong with the packages from the Debian maintainers?
>> 
>> If he means Postfix distributing BINARY packages for Debian, RedHat,
>> *BSD, and so on, then I do not expect that to happen.
>
>As many are aware Ghettoforge builds these for EL.  To me the simplest way for 
>Debian and other distros is for a community member to take up the mantle and 
>build Postfix in a similar way.  It's not that difficult to do and it puts the 
>responsibility on someone who is genuinely interested in that particular 
>platform instead of putting the responsibility on Wietse to try to build 
>binary rpms for every distro under the sun.
>
You can actually install RPMs on Debian systems, but it would be a pretty 
unusual way to go about things.  I think for almost every one, the Debian 
stable updates that we provide should be sufficient.  For those that actually 
need the latest release, it's trivial to grab the Debianized source from a 
later release and build it for an earlier release.

Scott K
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix repo

[Peter via Postfix-users]

On 12/01/24 04:08, Wietse Venema via Postfix-users wrote:

Viktor Dukhovni via Postfix-users:

On Thu, Jan 11, 2024 at 03:53:35PM +0100, natan via Postfix-users wrote:

Hi Wietse Have you thought about postfix repo for Debian, just like dovecot
has for his relase ?



What is a "Postfix repo for Debian"?  Do you mean binary release
packages?  What's wrong with the packages from the Debian maintainers?


If he means Postfix distributing BINARY packages for Debian, RedHat,
*BSD, and so on, then I do not expect that to happen.


As many are aware Ghettoforge builds these for EL.  To me the simplest 
way for Debian and other distros is for a community member to take up 
the mantle and build Postfix in a similar way.  It's not that difficult 
to do and it puts the responsibility on someone who is genuinely 
interested in that particular platform instead of putting the 
responsibility on Wietse to try to build binary rpms for every distro 
under the sun.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

[Gerd Hoerst via Postfix-users]

Hi !

Ok i will  try tomorrow

Ciao Gerd
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Mon, Jan 15, 2024 at 08:14:13AM +0100, Gerd Hoerst via Postfix-users wrote:
> 
> > I added
> > 
> > masquerade_domains  
> >   = hoerst.net
> > 
> > to main.cf and mail sent via mailx is sent asu...@domain.tld  and it has 
> > also both DKIM Signatures inside
> > (ed25519 and sha256 key)
> 
> I don't recommend masquerade_domains, it is better to set the right
> domain in the first place.  For incoming mail, masquerade_domains is not
> easily compatible with recipient validation.  For just outgoing mail, it
> is not so bad, but I prefer canonical_maps instead, and having the right
> domain in the first place (correct value of $myorigin, ...)

As Viktor suggested earlier, uise 

myorigin = $mydomain

instead of the default (myorigin = $myhostname).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

[Viktor Dukhovni via Postfix-users]

On Mon, Jan 15, 2024 at 08:14:13AM +0100, Gerd Hoerst via Postfix-users wrote:

> I added
> 
> masquerade_domains  
>   = hoerst.net
> 
> to main.cf and mail sent via mailx is sent asu...@domain.tld  and it has also 
> both DKIM Signatures inside
> (ed25519 and sha256 key)

I don't recommend masquerade_domains, it is better to set the right
domain in the first place.  For incoming mail, masquerade_domains is not
easily compatible with recipient validation.  For just outgoing mail, it
is not so bad, but I prefer canonical_maps instead, and having the right
domain in the first place (correct value of $myorigin, ...)

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Bill Cole via Postfix-users]

On 2024-01-15 at 04:15:53 UTC-0500 (Mon, 15 Jan 2024 10:15:53 +0100)
Admin Beckspaced via Postfix-users 
is rumored to have said:


somoene is trying to use your postfix as http proxy server.
Looks like security scanner.

do you know the type of encoding?


The encoding for the log is octal: characters are either literal or in 
\### format for unprintables.



I would like to decode and see the actual commands.


The underlying data looks (by eyeball) to probably be an attempted HTTPS 
handshake. That's consistent with the test apparently being done for an 
open proxy. Shodan and Censys are nominally legitimate operations that 
scan the Internet for possibly vulnerable machines and sell access to 
the resulting data.  There are others who can be identified by the names 
"stretchoid" and "binaryedge.ninja" who are less public about their 
scans.


The IPs performing the scans can safely be blocked at the packet level, 
if you're into such things. They will never do anything but test your 
system.


Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 
\343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V 
\356\277\200\370\023\264zR\360\243\307 
\270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 
\331 
\006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ 
\366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper 
command pipelining after CONNECT from 
scanner-29.ch1.censys-scanner.com[167.248.133.186]: 
\026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 
\265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Wietse Venema via Postfix-users]

Admin Beckspaced via Postfix-users:
> dear postfix users,
> 
> since the recent SMTP smuggling issue I applied the short term 
> workaround by setting smtpd_forbid_unauth_pipelining = yes
> 
> I also do a daily scan on journalctl with some keywords, e.g. 'pipelining'
> 
> the following showed up this morning.
> 
> do i need to be worried?
> 
> thanks
> & greetings
> Becki
> 
> 
> Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command 
> pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: 
> \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200
>  

That looks like a TLSv1.2 client hello packet.

Octal \026 (hex 0x16) = handshake
Octal \003\003 (hex 0x0303) = TLSv1.2

Presumably the client is confusing port 587 (plaintext, with explicit
STARTTLS) and 465 (implicit TLS).

Postfix logs "after CONNECT" because this is the first thing that the client 
sent 
after CONNECTing to Postfix.

No harm is done, just wasting a few bits in ther log.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Jaroslaw Rafa via Postfix-users]

Dnia 15.01.2024 o godz. 09:34:06 Admin Beckspaced via Postfix-users pisze:
> do i need to be worried?

As your logs clearly show it's Shodan, then either ignore it or simply block
it right away.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Admin Beckspaced via Postfix-users]

Looks like security scanner.

do you know the type of encoding?

I would like to decode and see the actual commands.


after CONNECT usually TLS negotiation occurs, that may be it.
I don't know if there's any value in knowing that.


thanks

i was just curious :)




Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 
\343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 



Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V 
\356\277\200\370\023\264zR\360\243\307 
\270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 
\331 
\006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ 
\366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 



Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper 
command pipelining after CONNECT from 
scanner-29.ch1.censys-scanner.com[167.248.133.186]: 
\026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 
\265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 





___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Matus UHLAR - fantomas via Postfix-users]

On 15.01.24 10:15, Admin Beckspaced via Postfix-users wrote:

somoene is trying to use your postfix as http proxy server.



Looks like security scanner.

do you know the type of encoding?

I would like to decode and see the actual commands.


after CONNECT usually TLS negotiation occurs, that may be it.
I don't know if there's any value in knowing that.


Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237


Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V 
\356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 
\331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237


Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper 
command pipelining after CONNECT from 
scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Bastian Blank via Postfix-users]

On Mon, Jan 15, 2024 at 10:15:53AM +0100, Admin Beckspaced via Postfix-users 
wrote:
> 
> > somoene is trying to use your postfix as http proxy server.
> > Looks like security scanner.
> do you know the type of encoding?

No, by "CONNECT", which is no SMTP command, but a HTTP one.

Bastian

-- 
Spock: The odds of surviving another attack are 13562190123 to 1, Captain.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Admin Beckspaced via Postfix-users]

somoene is trying to use your postfix as http proxy server.
Looks like security scanner.

do you know the type of encoding?

I would like to decode and see the actual commands.

Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 
\343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 

Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V 
\356\277\200\370\023\264zR\360\243\307 
\270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 
\331 
\006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper 
command pipelining after CONNECT from 
battery.census.shodan.io[93.174.95.106]: 
\026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ 
\366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 

Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper 
command pipelining after CONNECT from 
scanner-29.ch1.censys-scanner.com[167.248.133.186]: 
\026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 
\265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: improper command pipelining

[Matus UHLAR - fantomas via Postfix-users]

On 15.01.24 09:34, Admin Beckspaced via Postfix-users wrote:

dear postfix users,

since the recent SMTP smuggling issue I applied the short term 
workaround by setting smtpd_forbid_unauth_pipelining = yes


I also do a daily scan on journalctl with some keywords, e.g. 'pipelining'

the following showed up this morning.

do i need to be worried?


somoene is trying to use your postfix as http proxy server.
Looks like security scanner.

Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V 
\356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 
\331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command 
pipelining after CONNECT from 
scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] improper command pipelining

[Admin Beckspaced via Postfix-users]

dear postfix users,

since the recent SMTP smuggling issue I applied the short term 
workaround by setting smtpd_forbid_unauth_pipelining = yes


I also do a daily scan on journalctl with some keywords, e.g. 'pipelining'

the following showed up this morning.

do i need to be worried?

thanks
& greetings
Becki


Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 
\343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V 
\356\277\200\370\023\264zR\360\243\307 
\270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: 
\026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 
\331 
\006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command 
pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: 
\026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ 
\366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command 
pipelining after CONNECT from 
scanner-29.ch1.censys-scanner.com[167.248.133.186]: 
\026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 
\265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org