From 4f3c6d958b1711cbf1423f6ee00abb6a5dff59bb Mon Sep 17 00:00:00 2001 From: Stoiko Ivanov Date: Tue, 2 Jan 2024 11:30:39 +0100 Subject: [PATCH] templates: postfix: forbid_bare_newline on external port This patch addresses the smtp-smuggling vulnerability [0,1], with the recommended fix by postfix upstream [2]. Disallowing bare linefeeds instead of crlf should not be a problem with any standards-compliant MTA. The internal port allows bare linefeed, since internal clients (mail-scripts written ages ago, some ancient embedded systems) might not adhere to the protocol. Additionally the mail-proxy allowlist (the ip and cidr entries, are the only ones applicable here) is also added to the global exceptions. Currently the updated postfix-packages are not published in the security repositories but only as stable updates [3,4] However postfix ignores unknown configuration parameters and only prints a warning to the journal - so the changes to the templates can already be shipped, for those users who have the stable-updates mirror enabled. Tested with the current postfix in bookworm, then updating to the one in bookworm-updates and running tests with netcat (verified with nc -C that it still works with the correct line-termination): ``` $ nc -6 pmgtest 25 220 pmgtest.proxmox.com ESMTP Proxmox EHLO pmgsender.proxmox.com 521 5.5.2 pmgtest.proxmox.com Error: bare received ``` [0] https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ [1] https://nvd.nist.gov/vuln/detail/CVE-2023-51764 [2] https://www.postfix.org/smtp-smuggling.html [3] https://security-tracker.debian.org/tracker/CVE-2023-51764 [4] https://lists.debian.org/debian-stable-announce/2023/12/msg00004.html Signed-off-by: Stoiko Ivanov --- src/templates/main.cf.in | 5 +++++ src/templates/master.cf.in | 1 + 2 files changed, 6 insertions(+) diff --git a/src/templates/main.cf.in b/src/templates/main.cf.in index c689af3..3b56355 100644 --- a/src/templates/main.cf.in +++ b/src/templates/main.cf.in @@ -101,6 +101,11 @@ unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %] smtpd_data_restrictions = reject_unauth_pipelining +smtpd_forbid_bare_newline = yes +smtpd_forbid_bare_newline_exclusions = + $mynetworks, + cidr:/etc/postfix/clientaccess + smtpd_client_connection_count_limit = [% pmg.mail.conn_count_limit %] smtpd_client_connection_rate_limit = [% pmg.mail.conn_rate_limit %] smtpd_client_message_rate_limit = [% pmg.mail.message_rate_limit %] diff --git a/src/templates/master.cf.in b/src/templates/master.cf.in index 7d60d1d..674767d 100644 --- a/src/templates/master.cf.in +++ b/src/templates/master.cf.in @@ -92,6 +92,7 @@ scan unix - - n - [% pmg.mail.max_filters %] -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_data_restrictions= + -o smtpd_forbid_bare_newline = no [% pmg.mail.ext_port %] inet n - - - 1 postscreen -- 2.39.2