[pfx] Re: SMTP Smuggling short & long term fixes
On Wed, Dec 20, 2023 at 05:48:43PM -0500, Wietse Venema via Postfix-users wrote: > Wietse Venema via Postfix-users: > > As part of a non-responsible disclosure process, SEC Consult has > > published an email spoofing attack that involves a composition of > > different mail service behaviors with respect to broken line endings. > > Also on-line at httpps://www.postfix.org/smtp-smuggling.html FWIW, after minding p's: Also on-line at https://www.postfix.org/smtp-smuggling.html -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes
Wietse Venema via Postfix-users: > As part of a non-responsible disclosure process, SEC Consult has > published an email spoofing attack that involves a composition of > different mail service behaviors with respect to broken line endings. Also on-line at httpps://www.postfix.org/smtp-smuggling.html Wietse > A short-term fix may deployed now, before the upcoming long holiday: > > - Postfix 3.9 (stable release early 2024), rejects unuthorised > pipelining by default: "smtpd_forbid_unauth_pipelining = yes". > > - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature, > but the "smtpd_forbid_unauth_pipelining" parameter defaults to > "no". > > Setting "smtpd_forbid_unauth_pipelining = yes" may break legitimate > SMTP clients that mis-implement SMTP, but such clients are exceedingly > rare, especially when email is sent across the Internet. > > This short-term fix will stop the published form of the attack, but > other forms exist that will not be stopped in this manner. > > The longer-term fix stops all forms of the smuggling attacks and is > in testing. For most sites, this fix will be too late for deployment > before a long holiday break, when typically production changes are > not allowed until January. > > Timeline: > Dec 18 SEC Consult publishes an attack (composition of mail service behaviors) > Dec 19 Implement fix for Postfix, start testing and Q/A > Dec ?? Publish updated stable Postfix versions 3.8, 3.7, 3.6, 3.5 > Dec 23 First day of a 10+ day holiday break and production freeze > > References: > https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes
Thanks, Bill. That did it. :) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes'
I assumed it should be in main.cf. I meant which section. I tried to redefine it in smtpd_helo_restrictions since that seemed reasonable. Running postconf shows it, as you say set to no but I cannot set it to yes. -- Dave Stiles Linkcheck Bristol Web Design Tel: 0117 9248413 https://www.bristolweb.net https://www.linkcheck.co.uk ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes'
Linkcheck via Postfix-users: > On 20/12/2023 3:51 pm, Wietse Venema via Postfix-users wrote: > > "smtpd_forbid_unauth_pipelining = yes > > I tried that (3.7.6) and got... > warning: unknown smtpd restriction: "smtpd_forbid_unauth_pipelining" > > Where should I have placed it? Ask your vendor. The setting is included with Postfix 3.7.6. $ pwd /tmp/postfix-3.7.6 $ bin/postconf smtpd_forbid_unauth_pipelining smtpd_forbid_unauth_pipelining = no Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes
On 20/12/2023 3:51 pm, Wietse Venema via Postfix-users wrote: "smtpd_forbid_unauth_pipelining = yes I tried that (3.7.6) and got... warning: unknown smtpd restriction: "smtpd_forbid_unauth_pipelining" Where should I have placed it? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org