From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] postfix: Update to version 3.8.4 + prevent smtp smuggling
Date: Tue, 26 Dec 2023 14:10:34 +0100 [thread overview]
Message-ID: <20231226131036.3260423-3-adolf.belka@ipfire.org> (raw)
In-Reply-To: <20231226131036.3260423-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4137 bytes --]
- Update from version 3.8.3 to 3.8.4
- Update of rootfile not required
- Permanent fix for smtp smuggling will be in version 3.9. However the fix has been
backported into version 3.8.4 but with the default for the parameter of "no".
- This patch sets the defaults for all the main.cf parameters highlighted by Wietse
Venema in http://www.postfix.org/smtp-smuggling.html
- Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to
the install.sh pak for postfix so that it will be included into any main.cf file being
restored from backup. This parameter is available for the first time in 3.8.4 so will
not be in any backup prior to this release and can therefore be safely applied to
restored versions of main.cf.
- This fix in install.sh will be able to be removed when version 3.9 is released early
in 2024 as the default for that parameter in that version onwards will then be "yes"
- Changelog
3.8.4
Security: with "smtpd_forbid_bare_newline = yes" (default
"no" for Postfix < 3.9), reply with "Error: bare <LF>
received" and disconnect when an SMTP client sends a line
ending in <LF>, violating the RFC 5321 requirement that
lines must end in <CR><LF>. This prevents SMTP smuggling
attacks that target a recipient at a Postfix server. For
backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks". Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
lfs/postfix | 15 +++++++++++----
src/paks/postfix/install.sh | 5 +++++
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/lfs/postfix b/lfs/postfix
index aab683f4c..7f2625a4e 100644
--- a/lfs/postfix
+++ b/lfs/postfix
@@ -26,7 +26,7 @@ include Config
SUMMARY = A fast, secure, and flexible mailer
-VER = 3.8.3
+VER = 3.8.4
THISAPP = postfix-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = postfix
-PAK_VER = 43
+PAK_VER = 44
DEPS =
@@ -70,7 +70,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = a656606c2a46671548cb954a65d769ba5bf68a5c8f0ccdc0e753b03386956eef3e264b696a306c586f1df1b06fb173e5f3db74c6a9e4d3686c86b8f53be585ed
+$(DL_FILE)_BLAKE2 = 200ce3d72444da05e42fc8627002d53d68c1b3d78b7f74b0130ac958c23d16454783ef4849a8c9a4e3cba8ae36646e921f7e94ac4fb819b597e1a5ab1a875272
install : $(TARGET)
@@ -110,13 +110,20 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && sh postfix-install -non-interactive
## Install configuration
rm -vf /etc/postfix/main.cf.default
+
+ # update main.cf parameters to prevent smtp smuggling attack
+ postconf -e 'smtpd_forbid_bare_newline = yes'
+ postconf -e 'smtpd_forbid_unauth_pipelining = yes'
+ postconf -e 'smtpd_data_restrictions = reject_unauth_pipelining'
+ postconf -e 'smtpd_discard_ehlo_keywords = chunking'
+
mkdir -p /var/lib/postfix
chown postfix.root /var/lib/postfix
install -v -m 644 $(DIR_SRC)/config/backup/includes/postfix \
/var/ipfire/backup/addons/includes/postfix
mv /usr/sbin/sendmail /usr/sbin/sendmail.postfix
-
+
#install initscripts
$(call INSTALL_INITSCRIPTS,$(SERVICES))
diff --git a/src/paks/postfix/install.sh b/src/paks/postfix/install.sh
index 1629d21c1..2e04e74a8 100644
--- a/src/paks/postfix/install.sh
+++ b/src/paks/postfix/install.sh
@@ -24,6 +24,11 @@
. /opt/pakfire/lib/functions.sh
extract_files
restore_backup ${NAME}
+
+# change main.cf parameter from default value to prevent smtp smuggling attack
+# will not be required once postfix-3.9.x is released as default will then be yes
+postconf -e 'smtpd_forbid_bare_newline = yes'
+
postalias /etc/aliases
# Set postfix's hostname
postconf -e "myhostname=$(hostname -f)"
--
2.43.0
next prev parent reply other threads:[~2023-12-26 13:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-26 13:10 [PATCH] openssh: Update to version 9.6p1 Adolf Belka
2023-12-26 13:10 ` [PATCH] openssl: Update to version 3.2.0 Adolf Belka
2023-12-30 6:52 ` Peter Müller
2024-01-03 12:18 ` Michael Tremer
2023-12-26 13:10 ` Adolf Belka [this message]
2024-01-07 19:09 ` [PATCH] postfix: Update to version 3.8.4 + prevent smtp smuggling Peter Müller
2023-12-26 13:10 ` [PATCH] qpdf: Update to version 11.7.0 Adolf Belka
2023-12-26 13:10 ` [PATCH] tzdata: Update to version 2023d Adolf Belka
2023-12-30 6:55 ` [PATCH] openssh: Update to version 9.6p1 Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231226131036.3260423-3-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox