On Mon, Aug 02, 2021 at 04:11:42PM -0400, John Levine wrote:
> People in the web world are in a kerfuffle about an attack called ALPACA
> which (leaving out
> a lot of details) gets a web browser to send requests to a non-web server and
> then get the
> browser to interpret the responses in
John Levine:
> People in the web world are in a kerfuffle about an attack called ALPACA
> which (leaving out
> a lot of details) gets a web browser to send requests to a non-web server and
> then get the
> browser to interpret the responses in unfortunate ways. Most of the
> unfortunateness
The ALPACA paper (table 2+3)/website explain that postfix is not
vulnerable to this problem - postfix drops the connection immediately
on common HTTP commands.
--
Please don't Cc: me, use only the list for replies.
I don't see a parameter to limit the number of bad commands in a
session. Is there one?
http://www.postfix.org/postconf.5.html#smtpd_soft_error_limit
http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit
People in the web world are in a kerfuffle about an attack called ALPACA which
(leaving out
a lot of details) gets a web browser to send requests to a non-web server and
then get the
browser to interpret the responses in unfortunate ways. Most of the
unfortunateness comes
from the server