git.proxmox.com Git - pmg-api.git/commit

author	Stoiko Ivanov <s.ivanov@proxmox.com>
	Fri, 22 Dec 2023 09:57:26 +0000 (10:57 +0100)
committer	Stoiko Ivanov <s.ivanov@proxmox.com>
	Fri, 22 Dec 2023 10:14:29 +0000 (11:14 +0100)
commit	77e44f9161b49635f088e82d04035a052e175085
tree	61873edef61e88a15cf89c003da38beb27803dae	tree
parent	2262f8f20157ac51436fed2a09ecf6bf2c38445f	commit \| diff

templates: postfix: mitigate smtpsmuggling vulnerability

by disabling pipelining on the external port.
The fix in the postfix config for the smtp-smuggling vulnerability [0]
follows the current recommendation of postfix upstream [1].

by using `smtpd_data_restrictions` instead of the newer
`smtpd_forbid_unauth_pipelining` the fix works for both PMG 7 and 8.

Tested with a handcrafted smtp-smuggling-session and verifying that:
* without the fix I get 2 mails
* with the fix I get 1 mail when sending to the external port, but
still 2 mails when sending to the internal port

[0] https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
[1] https://www.postfix.org/smtp-smuggling.html

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

src/templates/main.cf.in		diff \| blob \| blame \| history
src/templates/master.cf.in		diff \| blob \| blame \| history