diff --git a/postfix/HISTORY b/postfix/HISTORY index cb4186ec1..059274b52 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27720,3 +27720,14 @@ Apologies for any names omitted. Reverted some changes after postfix-3.9-20240112, and updated documentation. + +20240118 + + Documentation: Microsoft uses BDAT to send content with + bare LF. This violates the canonical MIME format for text + messages as required in RFC 3030 section 3, and as defined + in RFC 2045 sections 2.7 and 2.8. Files: proto/postconf.proto, + RELEASE_NOTES. + + Baseline for back porting the SMTP smuggling fixes to Postfix + 3.8.5, 3.7.10, 3.6.14, and 3.5.24. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 6beddc855..c2529bc9b 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -45,7 +45,7 @@ stray or characters. This feature applies to all email that Postfix locally or remotely sends out. It is not allowlisted based on client identity. -Major changes with snapshot 20240116 +Major changes with snapshot 20240118 ==================================== This updates Postfix fixes for inbound SMTP smuggling attacks. For @@ -77,38 +77,52 @@ The recommended Postfix 3.9 settings (i.e. the defaults) are now: # Otherwise, allow bare and process it as if the client sent # . # - # Exclude local SMTP clients from enforcement. - # # This maintains compatibility with many legitimate SMTP client # applications that send a mix of standard and non-standard line # endings, but will fail to receive email from client implementations - # that do not send .. Such clients need to be - # excluded with smtpd_forbid_bare_newline_exclusions. + # that do not terminate DATA content with the standard End-of-DATA + # sequence .. + # + # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. + # The example below allowlists SMTP clients in trusted networks. # smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks Alternative settings: - # Reject input lines that end in , require that input lines - # end in , and require the standard End-of-DATA sequence - # .. + # Reject input lines that contain and log a "bare received" + # error. Require that input lines end in , and require the + # standard End-of-DATA sequence .. # - # Exclude local SMTP clients from enforcement. + # This will reject email from SMTP clients that send any non-standard + # line endings such as web applications, netcat, or load balancer + # health checks. # - # This will fail to receive email from SMTP clients that send any - # non-standard line endings such as web applications, netcat, or - # load balancer health checks. Such clients need to be excluded with - # smtpd_forbid_bare_newline_exclusions. + # This will also reject some email from Microsoft services whose + # BDAT implementations violate the canonical MIME format for text + # messages required in RFC 3030 Section 3, and defined in RFC 2045 + # Sections 2.7 and 2.8. + # + # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. + # The example below allowlists SMTP clients in trusted networks. # smtpd_forbid_bare_newline = reject smtpd_forbid_bare_newline_exclusions = $mynetworks + # + # Alternatively, in the case of BDAT violations, BDAT can be selectively + # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally + # disabled with smtpd_discard_ehlo_keywords. + # + # smtpd_discard_ehlo_keyword_address_maps = + # cidr:{{10.0.0.1/24 chunking, silent-discard}} + # smtpd_discard_ehlo_keywords = chunking, silent-discard Major changes with snapshot 20240106 ==================================== -Inbound SMTP smuggling: strip extra in ., -to silence some tools that send attack sequences that are not viable. +Inbound SMTP smuggling: don't strip extra in ., +to silence test tools that send attack sequences that are not viable. Details at https://www.postfix.org/false-smuggling-claims.html Incompatible changes with snapshot 20231221 diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index ae0c01a35..2fe15dcc2 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -15976,21 +15976,28 @@ non-standard <LF>, and process them as if the client sent the standard <CR><LF>.

This maintains compatibility with many legitimate SMTP client applications that send a mix of standard and non-standard line endings, but will fail to receive -email from client implementations that do not send -<CR><LF>.<CR><LF>. Such clients need to be -excluded with smtpd_forbid_bare_newline_exclusions. +email from client implementations that do not terminate DATA content +with the standard End-of-DATA sequence +<CR><LF>.<CR><LF>.

Such clients +can be excluded with smtpd_forbid_bare_newline_exclusions.
yes
Compatibility alias for normalize.
reject
Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Reject a command -or message content when a line ends in <LF>, log a "bare +or message content when a line contains bare <LF>, log a "bare <LF> received" error, and reply with the SMTP status code in -$smtpd_forbid_bare_newline_reject_code.

This will fail -to receive email from SMTP clients that may send any non-standard -line endings such as web applications, netcat, or load balancer -health checks. Such clients need to be excluded with -smtpd_forbid_bare_newline_exclusions.
+$smtpd_forbid_bare_newline_reject_code.

This will reject +email from SMTP clients that send any non-standard line endings +such as web applications, netcat, or load balancer health checks. +

This will also reject some email from Microsoft services +whose BDAT implementations violate the canonical MIME format for +text messages required in RFC 3030 Section 3, and defined in RFC +2045 Sections 2.7 and 2.8.

Such clients can be excluded +with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT +violations, BDAT can be selectively disabled with +smtpd_discard_ehlo_keyword_address_maps, or globally disabled with +smtpd_discard_ehlo_keywords).
no
Do not require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Always process @@ -16002,7 +16009,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling. -

Examples:

+

Example 1: 

@@ -16010,34 +16017,50 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
 # Otherwise, allow bare <LF> and process it as if the client sent
 # <CR><LF>.
 #
-# Exclude local SMTP clients from enforcement.
-#
 # This maintains compatibility with many legitimate SMTP client
 # applications that send a mix of standard and non-standard line
 # endings, but will fail to receive email from client implementations
-# that do not send <CR><LF>.<CR><LF>. Such clients need to be
-# excluded with smtpd_forbid_bare_newline_exclusions.
+# that do not terminate DATA content with the standard End-of-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions = $mynetworks
+

Example 2:

+ 
-# Reject input lines that end in <LF>, require that input lines
-# end in <CR><LF>, and require the standard End-of-DATA sequence
-# <CR><LF>.<CR><LF>.
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End-of-DATA sequence <CR><LF>.<CR><LF>.
 #
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
 #
-# This will fail to receive email from SMTP clients that send any
-# non-standard line endings such as web applications, netcat, or
-# load balancer health checks. Such clients need to be excluded with
-# smtpd_forbid_bare_newline_exclusions.
+# This will also reject some email from Microsoft services whose
+# BDAT implementations violate the canonical MIME format for text
+# messages required in RFC 3030 Section 3, and defined in RFC 2045
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = reject
 smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps =
+#     cidr:{{10.0.0.1/24 chunking, silent-discard}}
+# smtpd_discard_ehlo_keywords = chunking, silent-discard
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 3d3f670a6..fafa29b83 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -11049,9 +11049,13 @@ standard . This maintains compatibility with many legitimate SMTP client applications that send a mix of standard and non\-standard line endings, but will fail to receive -email from client implementations that do not send -.. Such clients need to be -excluded with smtpd_forbid_bare_newline_exclusions. +email from client implementations that do not terminate DATA content +with the standard End\-of\-DATA sequence +.. +.br +.br +Such clients +can be excluded with smtpd_forbid_bare_newline_exclusions. .br .IP "\fByes\fR" Compatibility alias for \fBnormalize\fR. @@ -11059,16 +11063,27 @@ Compatibility alias for \fBnormalize\fR. .IP "\fBreject\fR" Require the standard End\-of\-DATA sequence .. Reject a command -or message content when a line ends in , log a "bare +or message content when a line contains bare , log a "bare received" error, and reply with the SMTP status code in $smtpd_forbid_bare_newline_reject_code. .br .br -This will fail -to receive email from SMTP clients that may send any non\-standard -line endings such as web applications, netcat, or load balancer -health checks. Such clients need to be excluded with -smtpd_forbid_bare_newline_exclusions. +This will reject +email from SMTP clients that send any non\-standard line endings +such as web applications, netcat, or load balancer health checks. +.br +.br +This will also reject some email from Microsoft services +whose BDAT implementations violate the canonical MIME format for +text messages required in RFC 3030 Section 3, and defined in RFC +2045 Sections 2.7 and 2.8. +.br +.br +Such clients can be excluded +with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT +violations, BDAT can be selectively disabled with +smtpd_discard_ehlo_keyword_address_maps, or globally disabled with +smtpd_discard_ehlo_keywords). .br .IP "\fBno\fR" Do not require the standard End\-of\-DATA @@ -11079,7 +11094,7 @@ an Internet\-facing SMTP server, because it is vulnerable to SMTP smuggling. .br .br .PP -Examples: +Example 1: .sp .in +4 .nf @@ -11089,13 +11104,14 @@ Examples: # Otherwise, allow bare and process it as if the client sent # . # -# Exclude local SMTP clients from enforcement. -# # This maintains compatibility with many legitimate SMTP client # applications that send a mix of standard and non\-standard line # endings, but will fail to receive email from client implementations -# that do not send .. Such clients need to be -# excluded with smtpd_forbid_bare_newline_exclusions. +# that do not terminate DATA content with the standard End\-of\-DATA +# sequence .. +# +# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. +# The example below allowlists SMTP clients in trusted networks. # smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks @@ -11103,24 +11119,39 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks .ad .ft R .in -4 +.PP +Example 2: .sp .in +4 .nf .na .ft C -# Reject input lines that end in , require that input lines -# end in , and require the standard End\-of\-DATA sequence -# .. +# Reject input lines that contain and log a "bare received" +# error. Require that input lines end in , and require the +# standard End\-of\-DATA sequence .. # -# Exclude local SMTP clients from enforcement. +# This will reject email from SMTP clients that send any non\-standard +# line endings such as web applications, netcat, or load balancer +# health checks. # -# This will fail to receive email from SMTP clients that send any -# non\-standard line endings such as web applications, netcat, or -# load balancer health checks. Such clients need to be excluded with -# smtpd_forbid_bare_newline_exclusions. +# This will also reject some email from Microsoft services whose +# BDAT implementations violate the canonical MIME format for text +# messages required in RFC 3030 Section 3, and defined in RFC 2045 +# Sections 2.7 and 2.8. +# +# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. +# The example below allowlists SMTP clients in trusted networks. # smtpd_forbid_bare_newline = reject smtpd_forbid_bare_newline_exclusions = $mynetworks +# +# Alternatively, in the case of BDAT violations, BDAT can be selectively +# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally +# disabled with smtpd_discard_ehlo_keywords. +# +# smtpd_discard_ehlo_keyword_address_maps = +# cidr:{{10.0.0.1/24 chunking, silent\-discard}} +# smtpd_discard_ehlo_keywords = chunking, silent\-discard .fi .ad .ft R diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 275dc318b..853c58478 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -19075,21 +19075,28 @@ non-standard <LF>, and process them as if the client sent the standard <CR><LF>.

This maintains compatibility with many legitimate SMTP client applications that send a mix of standard and non-standard line endings, but will fail to receive -email from client implementations that do not send -<CR><LF>.<CR><LF>. Such clients need to be -excluded with smtpd_forbid_bare_newline_exclusions.
+email from client implementations that do not terminate DATA content +with the standard End-of-DATA sequence +<CR><LF>.<CR><LF>.

Such clients +can be excluded with smtpd_forbid_bare_newline_exclusions.
yes
Compatibility alias for normalize.
reject
Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Reject a command -or message content when a line ends in <LF>, log a "bare +or message content when a line contains bare <LF>, log a "bare <LF> received" error, and reply with the SMTP status code in -$smtpd_forbid_bare_newline_reject_code.

This will fail -to receive email from SMTP clients that may send any non-standard -line endings such as web applications, netcat, or load balancer -health checks. Such clients need to be excluded with -smtpd_forbid_bare_newline_exclusions.
+$smtpd_forbid_bare_newline_reject_code.

This will reject +email from SMTP clients that send any non-standard line endings +such as web applications, netcat, or load balancer health checks. +

This will also reject some email from Microsoft services +whose BDAT implementations violate the canonical MIME format for +text messages required in RFC 3030 Section 3, and defined in RFC +2045 Sections 2.7 and 2.8.

Such clients can be excluded +with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT +violations, BDAT can be selectively disabled with +smtpd_discard_ehlo_keyword_address_maps, or globally disabled with +smtpd_discard_ehlo_keywords).
no
Do not require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Always process @@ -19101,7 +19108,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling. -

Examples:

+

Example 1: 

@@ -19109,34 +19116,50 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
 # Otherwise, allow bare <LF> and process it as if the client sent
 # <CR><LF>.
 #
-# Exclude local SMTP clients from enforcement.
-#
 # This maintains compatibility with many legitimate SMTP client
 # applications that send a mix of standard and non-standard line
 # endings, but will fail to receive email from client implementations
-# that do not send <CR><LF>.<CR><LF>. Such clients need to be
-# excluded with smtpd_forbid_bare_newline_exclusions.
+# that do not terminate DATA content with the standard End-of-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions = $mynetworks
+

Example 2:

+ 
-# Reject input lines that end in <LF>, require that input lines
-# end in <CR><LF>, and require the standard End-of-DATA sequence
-# <CR><LF>.<CR><LF>.
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End-of-DATA sequence <CR><LF>.<CR><LF>.
 #
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
 #
-# This will fail to receive email from SMTP clients that send any
-# non-standard line endings such as web applications, netcat, or
-# load balancer health checks. Such clients need to be excluded with
-# smtpd_forbid_bare_newline_exclusions.
+# This will also reject some email from Microsoft services whose
+# BDAT implementations violate the canonical MIME format for text
+# messages required in RFC 3030 Section 3, and defined in RFC 2045
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = reject
 smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps =
+#     cidr:{{10.0.0.1/24 chunking, silent-discard}}
+# smtpd_discard_ehlo_keywords = chunking, silent-discard
diff --git a/postfix/proto/stop b/postfix/proto/stop index eb2bf06c0..ceb654e95 100644 --- a/postfix/proto/stop +++ b/postfix/proto/stop @@ -1592,3 +1592,5 @@ netcat probers lf EOD +chunking +allowlists diff --git a/postfix/proto/stop.double-install-proto-text b/postfix/proto/stop.double-install-proto-text index 261e1cbbc..5791910d3 100644 --- a/postfix/proto/stop.double-install-proto-text +++ b/postfix/proto/stop.double-install-proto-text @@ -41,3 +41,4 @@ root root you virtual virtual alias domain anything right hand content does not matter skipping unexpected LF LF in DATA from Inbound SMTP smuggling strip extra CR in CR LF CR CR LF +Inbound SMTP smuggling don t strip extra CR in CR LF CR CR LF diff --git a/postfix/proto/stop.double-proto-html b/postfix/proto/stop.double-proto-html index a161f9a1b..20be48655 100644 --- a/postfix/proto/stop.double-proto-html +++ b/postfix/proto/stop.double-proto-html @@ -346,4 +346,7 @@ query_filter mailacceptinggeneralid s maildrop maildrop maildrop owner cn root d dt b a name check_address_map check_address_map a i a href DATABASE_README html type table a i b dt PARAM postscreen_dnsbl_max_ttl postscreen_dnsbl_ttl postscreen_dnsbl_ttl 1 h standard lt CR gt lt LF gt br br This maintains compatibility - smtpd_forbid_bare_newline_reject_code br br This will fail + lt CR gt lt LF gt lt CR gt lt LF gt br br Such clients + smtpd_forbid_bare_newline_reject_code br br This will reject + br br This will also reject some email from Microsoft services +2045 Sections 2 7 and 2 8 br br Such clients can be excluded diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index d46c0f44d..6a1035760 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20240116" +#define MAIL_RELEASE_DATE "20240118" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT