From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] postfix: Update to version 3.8.4 + prevent smtp smuggling
Date: Sun, 07 Jan 2024 19:09:00 +0000 [thread overview]
Message-ID: <59bb451d-20ce-4fc1-8bee-1b245b1268fb@ipfire.org> (raw)
In-Reply-To: <20231226131036.3260423-3-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4385 bytes --]
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> - Update from version 3.8.3 to 3.8.4
> - Update of rootfile not required
> - Permanent fix for smtp smuggling will be in version 3.9. However the fix has been
> backported into version 3.8.4 but with the default for the parameter of "no".
> - This patch sets the defaults for all the main.cf parameters highlighted by Wietse
> Venema in http://www.postfix.org/smtp-smuggling.html
> - Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to
> the install.sh pak for postfix so that it will be included into any main.cf file being
> restored from backup. This parameter is available for the first time in 3.8.4 so will
> not be in any backup prior to this release and can therefore be safely applied to
> restored versions of main.cf.
> - This fix in install.sh will be able to be removed when version 3.9 is released early
> in 2024 as the default for that parameter in that version onwards will then be "yes"
> - Changelog
> 3.8.4
> Security: with "smtpd_forbid_bare_newline = yes" (default
> "no" for Postfix < 3.9), reply with "Error: bare <LF>
> received" and disconnect when an SMTP client sends a line
> ending in <LF>, violating the RFC 5321 requirement that
> lines must end in <CR><LF>. This prevents SMTP smuggling
> attacks that target a recipient at a Postfix server. For
> backwards compatibility, local clients are excluded by
> default with "smtpd_forbid_bare_newline_exclusions =
> $mynetworks". Files: mantools/postlink, proto/postconf.proto,
> global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
> smtpd/smtpd.c.
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> lfs/postfix | 15 +++++++++++----
> src/paks/postfix/install.sh | 5 +++++
> 2 files changed, 16 insertions(+), 4 deletions(-)
>
> diff --git a/lfs/postfix b/lfs/postfix
> index aab683f4c..7f2625a4e 100644
> --- a/lfs/postfix
> +++ b/lfs/postfix
> @@ -26,7 +26,7 @@ include Config
>
> SUMMARY = A fast, secure, and flexible mailer
>
> -VER = 3.8.3
> +VER = 3.8.4
>
> THISAPP = postfix-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
> DIR_APP = $(DIR_SRC)/$(THISAPP)
> TARGET = $(DIR_INFO)/$(THISAPP)
> PROG = postfix
> -PAK_VER = 43
> +PAK_VER = 44
>
> DEPS =
>
> @@ -70,7 +70,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = a656606c2a46671548cb954a65d769ba5bf68a5c8f0ccdc0e753b03386956eef3e264b696a306c586f1df1b06fb173e5f3db74c6a9e4d3686c86b8f53be585ed
> +$(DL_FILE)_BLAKE2 = 200ce3d72444da05e42fc8627002d53d68c1b3d78b7f74b0130ac958c23d16454783ef4849a8c9a4e3cba8ae36646e921f7e94ac4fb819b597e1a5ab1a875272
>
> install : $(TARGET)
>
> @@ -110,13 +110,20 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> cd $(DIR_APP) && sh postfix-install -non-interactive
> ## Install configuration
> rm -vf /etc/postfix/main.cf.default
> +
> + # update main.cf parameters to prevent smtp smuggling attack
> + postconf -e 'smtpd_forbid_bare_newline = yes'
> + postconf -e 'smtpd_forbid_unauth_pipelining = yes'
> + postconf -e 'smtpd_data_restrictions = reject_unauth_pipelining'
> + postconf -e 'smtpd_discard_ehlo_keywords = chunking'
> +
> mkdir -p /var/lib/postfix
> chown postfix.root /var/lib/postfix
>
> install -v -m 644 $(DIR_SRC)/config/backup/includes/postfix \
> /var/ipfire/backup/addons/includes/postfix
> mv /usr/sbin/sendmail /usr/sbin/sendmail.postfix
> -
> +
> #install initscripts
> $(call INSTALL_INITSCRIPTS,$(SERVICES))
>
> diff --git a/src/paks/postfix/install.sh b/src/paks/postfix/install.sh
> index 1629d21c1..2e04e74a8 100644
> --- a/src/paks/postfix/install.sh
> +++ b/src/paks/postfix/install.sh
> @@ -24,6 +24,11 @@
> . /opt/pakfire/lib/functions.sh
> extract_files
> restore_backup ${NAME}
> +
> +# change main.cf parameter from default value to prevent smtp smuggling attack
> +# will not be required once postfix-3.9.x is released as default will then be yes
> +postconf -e 'smtpd_forbid_bare_newline = yes'
> +
> postalias /etc/aliases
> # Set postfix's hostname
> postconf -e "myhostname=$(hostname -f)"
next prev parent reply other threads:[~2024-01-07 19:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-26 13:10 [PATCH] openssh: Update to version 9.6p1 Adolf Belka
2023-12-26 13:10 ` [PATCH] openssl: Update to version 3.2.0 Adolf Belka
2023-12-30 6:52 ` Peter Müller
2024-01-03 12:18 ` Michael Tremer
2023-12-26 13:10 ` [PATCH] postfix: Update to version 3.8.4 + prevent smtp smuggling Adolf Belka
2024-01-07 19:09 ` Peter Müller [this message]
2023-12-26 13:10 ` [PATCH] qpdf: Update to version 11.7.0 Adolf Belka
2023-12-26 13:10 ` [PATCH] tzdata: Update to version 2023d Adolf Belka
2023-12-30 6:55 ` [PATCH] openssh: Update to version 9.6p1 Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59bb451d-20ce-4fc1-8bee-1b245b1268fb@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox