ALPACA writeup
Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks. https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/ Wietse
Re: ALPACA writeup
It appears that Wietse Venema said: >Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks. > >https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/ Just wondering, did you add the anti-http stuff because of ALPACA or was it already there? R's, John
Re: ALPACA writeup
On Tue, Aug 03, 2021 at 01:23:32PM -0400, John Levine wrote: > >https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/ > > Just wondering, did you add the anti-http stuff because of ALPACA or was it > already there? Postfix is written *defensively*, so it terminates connections from browsers sending SMTP commands and payload as a single HTTP request, by detecting HTTP verbs and request headers. These are defenses to protect SMTP servers from abused HTTP clients, that fortuitously also work to protct HTTP clients from abusable SMTP servers (that share certificates with HTTP servers, ...). The defenses have been in place for quite some time. Likewise, Postfix had detection of NUL bytes in certificate names, long before Moxie exploited some CA to obtain a cert for "*\0.some.dom.ain", and requires at least two labels after the "*" (no "*" or "*.tld" certs were accepted). Now that (a decade plus later) functionally equivalent checks have also been in OpenSSL (1.0.2 and later) for some time, Postfix 3.6 (for now the most recent stable release) finally delegates certificate name checks to OpenSSL (and requres OpenSSL >= 1.1.1). So while we don't always anticipate all future security issues, we have a reasonable track record of being ready when they happen. -- Viktor.
Re: ALPACA writeup
John Levine: > It appears that Wietse Venema said: > >Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks. > > > >https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/ > > Just wondering, did you add the anti-http stuff because of ALPACA or was it > already there? > Postfix 2.2 added both the GET etc. configurable forbidden word list and header detection (changelog says 20041124). The initial use case was blocking open proxies, but header detection would also be useful to get rid of spambots that ignore 5XX responses from the SMTP server. Wietse
Re: ALPACA writeup
On Tue, Aug 03, 2021, John Levine wrote: > Just wondering, did you add the anti-http stuff because of ALPACA or was it > already there? As a simple look at the source code of older releases shows it was already there.
Re: ALPACA writeup
On 8/3/2021 12:23 PM, John Levine wrote: It appears that Wietse Venema said: Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks. https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/ Just wondering, did you add the anti-http stuff because of ALPACA or was it already there? R's, John I think 2004, so it's been there a while. Back then sometimes open web proxies were used to send spam knowing the MTA would ignore the invalid commands. -- Noel Jones
Re: ALPACA writeup
On Tue, Aug 03, 2021 at 02:11:12PM -0400, Wietse Venema wrote: > John Levine: > > It appears that Wietse Venema said: > > >Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks. > > > > > >https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/ > > > > Just wondering, did you add the anti-http stuff because of ALPACA or was it > > already there? > > Postfix 2.2 added both the GET etc. configurable forbidden word > list and header detection (changelog says 20041124). The initial detection of message headers in a command-context dates back to 2002-02-18: https://github.com/vdukhovni/postfix/blob/fddaffebfbc7668f28a17ab3f12a6bcb84ed296f/postfix/HISTORY#L6066-L6070 https://github.com/vdukhovni/postfix/blob/fddaffebfbc7668f28a17ab3f12a6bcb84ed296f/postfix/HISTORY#L6066-L6070 when it was just: "Received:", 0, SMTPD_CMD_FLAG_HEADER, "Subject:", 0, SMTPD_CMD_FLAG_HEADER, "From:", 0, SMTPD_CMD_FLAG_HEADER, - In postfix-1.1.7-20020501, the header list was expanded to include "Reply-To:" and "Message-ID:". - In postfix-2.0.13-20030702, the list was further expanded to include "CONNECT" and "User-Agent:". - Finally, in postfix-2.2-20041207, the code was updated to detect anything that looked like a header or a configurable list of commands (default: CONNECT GET POST). -- Viktor.
