diff --git a/postfix/HISTORY b/postfix/HISTORY index ec655022f..843d57711 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27681,7 +27681,24 @@ Apologies for any names omitted. 20240106 - Bugfix: with smtpd_forbid_bare_newline enabled, do not - "strip" extra characters before . This avoids + Inbound smuggling: with smtpd_forbid_bare_newline enabled, + do not "strip" extra characters before . This avoids ambiguity when a client sends extra characters as in - .. File: global/smtp_stream.c. + .. There is no smuggling vulnerability + because there is no mail system will send the above + sequence (mail systems send .. instead). + But this change will silence some testing tools. More at + https://www.postfix.org/false-smuggling-claims.html. File: + global/smtp_stream.c. + +20240109 + + Outbound smuggling: with "cleanup_replace_stray_cr_lf = + yes" (the default) Postfix will replace stray or + characters in message content with a space character. This + prevents Postfix from enabling outbound (remote) SMTP + smuggling, and it also makes evaluation of Postfix-added + DKIM etc. signatures independent from how a remote mail + server handles stray or characters. Files: + global/mail_params.h, cleanup/cleanup.c, cleanup/cleanup_message.c, + mantools/postlink, proto/postconf.proto. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 5ead75a50..470215bc8 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -26,6 +26,32 @@ now also distributed with the more recent Eclipse Public License license of their choice. Those who are more comfortable with the IPL can continue with that license. +Incompatibility with snapshot 20240109 +======================================= + +Outbound SMTP smuggling: with "cleanup_replace_stray_cr_lf = yes", the +cleanup daemon replaces each stray or character in message +content with a space character. The replacement happens before any other +content management. + +This prevents outbound SMTP smuggling, where an attacker uses Postfix +to send a non-standard End-of-DATA sequence that triggers inbound +SMTP smuggling at a remote SMTP server. + +This also ensures that the evaluation of Postfix-added DKIM etc. +signatures will not depend on how a remote mail server handles stray +or characters. + +This feature applies to all email that Postfix locally or remotely +out. It is not allowlisted based on client identity. + +Major changes with snapshot 20240106 +==================================== + +Inbound SMTP smuggling: strip extra in ., +to silence some tools that send attack sequences that are not viable. +Details at https://www.postfix.org/false-smuggling-claims.html + Major changes with snapshot 20240102 ==================================== @@ -36,10 +62,6 @@ This release improves configuration (see below) and logging for rejected input (it now includes helo, mail, and rcpt information if available). This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24. -- Stricter enforcement of .; earlier versions ignored - extra before , causing ambiguity about what the client - actually sent. - - The new setting "smtpd_forbid_bare_newline = normalize" allows bare newlines from local and remote SMTP clients that send bare newlines consistently, and maintains more compatibility with diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html index 42b048a6e..b90af8399 100644 --- a/postfix/html/cleanup.8.html +++ b/postfix/html/cleanup.8.html @@ -160,28 +160,36 @@ CLEANUP(8) CLEANUP(8) The set of characters that Postfix will remove from message con- tent. + Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24, and + later: + + cleanup_replace_stray_cr_lf (yes) + Replace each stray <CR> or <LF> character in message content + with a space character, to prevent outbound SMTP smuggling, and + to make the evaluation of Postfix-added DKIM etc. + BEFORE QUEUE MILTER CONTROLS As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail - filter) protocol. When mail is not received via the smtpd(8) server, + filter) protocol. When mail is not received via the smtpd(8) server, the cleanup(8) server will simulate SMTP events to the extent that this is possible. For details see the MILTER_README document. non_smtpd_milters (empty) - A list of Milter (mail filter) applications for new mail that + A list of Milter (mail filter) applications for new mail that does not arrive via the Postfix smtpd(8) server. milter_protocol (6) - The mail filter protocol version and optional protocol exten- - sions for communication with a Milter application; prior to + The mail filter protocol version and optional protocol exten- + sions for communication with a Milter application; prior to Postfix 2.6 the default protocol is 2. milter_default_action (tempfail) - The default action when a Milter (mail filter) response is - unavailable (for example, bad Postfix configuration or Milter + The default action when a Milter (mail filter) response is + unavailable (for example, bad Postfix configuration or Milter failure). milter_macro_daemon_name ($myhostname) - The {daemon_name} macro value for Milter (mail filter) applica- + The {daemon_name} macro value for Milter (mail filter) applica- tions. milter_macro_v ($mail_name $mail_version) @@ -192,45 +200,45 @@ CLEANUP(8) CLEANUP(8) tion, and for negotiating protocol options. milter_command_timeout (30s) - The time limit for sending an SMTP command to a Milter (mail + The time limit for sending an SMTP command to a Milter (mail filter) application, and for receiving the response. milter_content_timeout (300s) - The time limit for sending message content to a Milter (mail + The time limit for sending message content to a Milter (mail filter) application, and for receiving the response. milter_connect_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after completion of an SMTP connection. milter_helo_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP HELO or EHLO command. milter_mail_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP MAIL FROM command. milter_rcpt_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP RCPT TO command. milter_data_macros (see 'postconf -d' output) - The macros that are sent to version 4 or higher Milter (mail + The macros that are sent to version 4 or higher Milter (mail filter) applications after the SMTP DATA command. milter_unknown_command_macros (see 'postconf -d' output) - The macros that are sent to version 3 or higher Milter (mail + The macros that are sent to version 3 or higher Milter (mail filter) applications after an unknown SMTP command. milter_end_of_data_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the message end-of-data. Available in Postfix version 2.5 and later: milter_end_of_header_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the end of the message header. Available in Postfix version 2.7 and later: @@ -242,8 +250,8 @@ CLEANUP(8) CLEANUP(8) Available in Postfix version 3.1 and later: milter_macro_defaults (empty) - Optional list of name=value pairs that specify default values - for arbitrary macros that Postfix may send to Milter applica- + Optional list of name=value pairs that specify default values + for arbitrary macros that Postfix may send to Milter applica- tions. MIME PROCESSING CONTROLS @@ -269,92 +277,92 @@ CLEANUP(8) CLEANUP(8) ing information. strict_mime_encoding_domain (no) - Reject mail with invalid Content-Transfer-Encoding: information + Reject mail with invalid Content-Transfer-Encoding: information for the message/* or multipart/* MIME content types. Available in Postfix version 2.5 and later: detect_8bit_encoding_header (yes) - Automatically detect 8BITMIME body content by looking at Con- - tent-Transfer-Encoding: message headers; historically, this + Automatically detect 8BITMIME body content by looking at Con- + tent-Transfer-Encoding: message headers; historically, this behavior was hard-coded to be "always on". AUTOMATIC BCC RECIPIENT CONTROLS - Postfix can automatically add BCC (blind carbon copy) when mail enters + Postfix can automatically add BCC (blind carbon copy) when mail enters the mail system: always_bcc (empty) - Optional address that receives a "blind carbon copy" of each + Optional address that receives a "blind carbon copy" of each message that is received by the Postfix mail system. Available in Postfix version 2.1 and later: sender_bcc_maps (empty) - Optional BCC (blind carbon-copy) address lookup tables, indexed + Optional BCC (blind carbon-copy) address lookup tables, indexed by envelope sender address. recipient_bcc_maps (empty) - Optional BCC (blind carbon-copy) address lookup tables, indexed + Optional BCC (blind carbon-copy) address lookup tables, indexed by envelope recipient address. ADDRESS TRANSFORMATION CONTROLS - Address rewriting is delegated to the trivial-rewrite(8) daemon. The + Address rewriting is delegated to the trivial-rewrite(8) daemon. The cleanup(8) server implements table driven address mapping. empty_address_recipient (MAILER-DAEMON) The recipient of mail addressed to the null address. canonical_maps (empty) - Optional address mapping lookup tables for message headers and + Optional address mapping lookup tables for message headers and envelopes. recipient_canonical_maps (empty) - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header recipient addresses. sender_canonical_maps (empty) - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header sender addresses. masquerade_classes (envelope_sender, header_sender, header_recipient) What addresses are subject to address masquerading. masquerade_domains (empty) - Optional list of domains whose subdomain structure will be + Optional list of domains whose subdomain structure will be stripped off in email addresses. masquerade_exceptions (empty) - Optional list of user names that are not subjected to address - masquerading, even when their addresses match $masquer- + Optional list of user names that are not subjected to address + masquerading, even when their addresses match $masquer- ade_domains. propagate_unmatched_extensions (canonical, virtual) - What address lookup tables copy an address extension from the + What address lookup tables copy an address extension from the lookup key to the lookup result. Available before Postfix version 2.0: virtual_maps (empty) - Optional lookup tables with a) names of domains for which all - addresses are aliased to addresses in other local or remote + Optional lookup tables with a) names of domains for which all + addresses are aliased to addresses in other local or remote domains, and b) addresses that are aliased to addresses in other local or remote domains. Available in Postfix version 2.0 and later: virtual_alias_maps ($virtual_maps) - Optional lookup tables with aliases that apply to all recipi- - ents: local(8), virtual, and remote; this is unlike alias_maps + Optional lookup tables with aliases that apply to all recipi- + ents: local(8), virtual, and remote; this is unlike alias_maps that apply only to local(8) recipients. Available in Postfix version 2.2 and later: - canonical_classes (envelope_sender, envelope_recipient, header_sender, + canonical_classes (envelope_sender, envelope_recipient, header_sender, header_recipient) What addresses are subject to canonical_maps address mapping. recipient_canonical_classes (envelope_recipient, header_recipient) - What addresses are subject to recipient_canonical_maps address + What addresses are subject to recipient_canonical_maps address mapping. sender_canonical_classes (envelope_sender, header_sender) @@ -362,9 +370,9 @@ CLEANUP(8) CLEANUP(8) ping. remote_header_rewrite_domain (empty) - Rewrite or add message headers in mail from remote clients if - the remote_header_rewrite_domain parameter value is non-empty, - updating incomplete addresses with the domain specified in the + Rewrite or add message headers in mail from remote clients if + the remote_header_rewrite_domain parameter value is non-empty, + updating incomplete addresses with the domain specified in the remote_header_rewrite_domain parameter, and adding missing head- ers. @@ -375,7 +383,7 @@ CLEANUP(8) CLEANUP(8) showq(8) queue displays. header_size_limit (102400) - The maximal amount of memory in bytes for storing a message + The maximal amount of memory in bytes for storing a message header. hopcount_limit (50) @@ -383,17 +391,17 @@ CLEANUP(8) CLEANUP(8) in the primary message headers. in_flow_delay (1s) - Time to pause before accepting a new message, when the message + Time to pause before accepting a new message, when the message arrival rate exceeds the message delivery rate. message_size_limit (10240000) - The maximal size in bytes of a message, including envelope + The maximal size in bytes of a message, including envelope information. Available in Postfix version 2.0 and later: header_address_token_limit (10240) - The maximal number of address tokens are allowed in an address + The maximal number of address tokens are allowed in an address message header. mime_boundary_length_limit (2048) @@ -409,7 +417,7 @@ CLEANUP(8) CLEANUP(8) Available in Postfix version 2.1 and later: virtual_alias_expansion_limit (1000) - The maximal number of addresses that virtual alias expansion + The maximal number of addresses that virtual alias expansion produces from each original recipient. virtual_alias_recursion_limit (1000) @@ -418,50 +426,50 @@ CLEANUP(8) CLEANUP(8) Available in Postfix version 3.0 and later: virtual_alias_address_length_limit (1000) - The maximal length of an email address after virtual alias + The maximal length of an email address after virtual alias expansion. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531, RFC 6532, and RFC 6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging sub-second delay values. delay_warning_time (0h) - The time after which the sender receives a copy of the message + The time after which the sender receives a copy of the message headers of mail that is still queued. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -472,7 +480,7 @@ CLEANUP(8) CLEANUP(8) The internet hostname of this mail system. myorigin ($myhostname) - The domain name that locally-posted mail appears to come from, + The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. process_id (read-only) @@ -485,21 +493,21 @@ CLEANUP(8) CLEANUP(8) The location of the Postfix top-level queue directory. soft_bounce (no) - Safety net to keep mail queued that would otherwise be returned + Safety net to keep mail queued that would otherwise be returned to the sender. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 2.1 and later: enable_original_recipient (yes) - Enable support for the original recipient address after an - address is rewritten to a different address (for example with + Enable support for the original recipient address after an + address is rewritten to a different address (for example with aliasing or with canonical mapping). Available in Postfix 3.3 and later: @@ -510,14 +518,14 @@ CLEANUP(8) CLEANUP(8) Available in Postfix 3.5 and later: info_log_address_format (external) - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). Available in Postfix 3.9 and later: force_mime_input_conversion (no) - Convert body content that claims to be 8-bit into quoted-print- - able, before header_checks, body_checks, Milters, and before + Convert body content that claims to be 8-bit into quoted-print- + able, before header_checks, body_checks, Milters, and before after-queue content filters. FILES diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 225df2cbe..df52fc91a 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -1469,6 +1469,40 @@ Examples: + + +
cleanup_replace_stray_cr_lf +(default: yes)
+ +

Replace each stray <CR> or <LF> character in message +content with a space character, to prevent outbound SMTP smuggling, +and to make the evaluation of Postfix-added DKIM etc. signatures +independent from how a remote mail server handles such characters. +

+ +

SMTP does not allow such characters unless they are part of a +<CR><LF> sequence, and different mail systems handle +such stray characters in an implementation-dependent manner. Stray +<CR> or <LF> characters could be used for outbound +SMTP smuggling, where an attacker uses a Postfix server to send +message content with a non-standard End-of-DATA sequence that +triggers inbound SMTP smuggling at a remote SMTP server.

+ +

The replacement happens before all other content management, +and before Postfix may add a DKIM etc. signature; if the signature +were created first, the replacement could invalidate the signature. +

+ +

In addition to preventing SMTP smuggling, replacing stray +<CR> or <LF> characters ensures that the result of +signature validation by later mail system will not depend on how +that mail system handles those stray characters in an +implementation-dependent manner.

+ +

This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10, +3.6.14, and 3.5.24.

+ +
cleanup_service_name diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 0de744d6b..dbdb3205e 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -883,6 +883,32 @@ canonical_maps = hash:/etc/postfix/canonical .fi .ad .ft R +.SH cleanup_replace_stray_cr_lf (default: yes) +Replace each stray or character in message +content with a space character, to prevent outbound SMTP smuggling, +and to make the evaluation of Postfix\-added DKIM etc. signatures +independent from how a remote mail server handles such characters. +.PP +SMTP does not allow such characters unless they are part of a + sequence, and different mail systems handle +such stray characters in an implementation\-dependent manner. Stray + or characters could be used for outbound +SMTP smuggling, where an attacker uses a Postfix server to send +message content with a non\-standard End\-of\-DATA sequence that +triggers inbound SMTP smuggling at a remote SMTP server. +.PP +The replacement happens before all other content management, +and before Postfix may add a DKIM etc. signature; if the signature +were created first, the replacement could invalidate the signature. +.PP +In addition to preventing SMTP smuggling, replacing stray + or characters ensures that the result of +signature validation by later mail system will not depend on how +that mail system handles those stray characters in an +implementation\-dependent manner. +.PP +This feature is available in Postfix >= 3.9, 3.8.5, 3.7.10, +3.6.14, and 3.5.24. .SH cleanup_service_name (default: cleanup) The name of the \fBcleanup\fR(8) service. This service rewrites addresses into the standard form, and performs \fBcanonical\fR(5) address mapping diff --git a/postfix/man/man8/cleanup.8 b/postfix/man/man8/cleanup.8 index 3180bc9f8..8b15e91e6 100644 --- a/postfix/man/man8/cleanup.8 +++ b/postfix/man/man8/cleanup.8 @@ -165,6 +165,13 @@ content. .IP "\fBmessage_strip_characters (empty)\fR" The set of characters that Postfix will remove from message content. +.PP +Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14, +3.5.24, and later: +.IP "\fBcleanup_replace_stray_cr_lf (yes)\fR" +Replace each stray or character in message +content with a space character, to prevent outbound SMTP smuggling, +and to make the evaluation of Postfix\-added DKIM etc. .SH "BEFORE QUEUE MILTER CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 85f6b68c4..8b9837a8b 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -564,6 +564,7 @@ while (<>) { s;\bsmtpd_for[-]*\n*[ ]*bid_bare_newline\b;$&;g; s;\bsmtpd_for[-]*\n*[ ]*bid_bare_newline_reject_code\b;$&;g; s;\bsmtpd_for[-]*\n*[ ]*bid_bare_newline_exclusions\b;$&;g; + s;\bcleanup_replace_stray_cr_lf\b;$&;g; s;\bsmtpd_for[-]*\n*[ ]*bid_unauth_pipelining\b;$&;g; s;\bsmtpd_hard_error_limit\b;$&;g; s;\bsmtpd_helo_required\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index bbc3c77ba..2666d0fcc 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -11240,17 +11240,6 @@ is rejected by the reject_plaintext_session restriction.

This feature is available in Postfix 2.3 and later.

-%PARAM smtpd_forbid_bare_newline_reject_code 550 - -

-The numerical Postfix SMTP server response code when a request -is rejected by the smtpd_forbid_bare_newline feature. -Specify a 5XX status code (521 to disconnect). -

- -

This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10, -3.6.14, and 3.5.24.

- %PARAM resolve_numeric_domain no

Resolve "user@ipaddress" as "user@[ipaddress]", instead of @@ -19158,6 +19147,47 @@ behavior as mynetworks.

This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, 3.6.13, and 3.5.23.

+%PARAM smtpd_forbid_bare_newline_reject_code 550 + +

+The numerical Postfix SMTP server response code when a request +is rejected by the smtpd_forbid_bare_newline feature. +Specify a 5XX status code (521 to disconnect). +

+ +

This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10, +3.6.14, and 3.5.24.

+ +%PARAM cleanup_replace_stray_cr_lf yes + +

Replace each stray <CR> or <LF> character in message +content with a space character, to prevent outbound SMTP smuggling, +and to make the evaluation of Postfix-added DKIM etc. signatures +independent from how a remote mail server handles such characters. +

+ +

SMTP does not allow such characters unless they are part of a +<CR><LF> sequence, and different mail systems handle +such stray characters in an implementation-dependent manner. Stray +<CR> or <LF> characters could be used for outbound +SMTP smuggling, where an attacker uses a Postfix server to send +message content with a non-standard End-of-DATA sequence that +triggers inbound SMTP smuggling at a remote SMTP server.

+ +

The replacement happens before all other content management, +and before Postfix may add a DKIM etc. signature; if the signature +were created first, the replacement could invalidate the signature. +

+ +

In addition to preventing SMTP smuggling, replacing stray +<CR> or <LF> characters ensures that the result of +signature validation by later mail system will not depend on how +that mail system handles those stray characters in an +implementation-dependent manner.

+ +

This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10, +3.6.14, and 3.5.24.

+ %PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes

Disconnect remote SMTP clients that violate RFC 2920 (or 5321) diff --git a/postfix/proto/stop b/postfix/proto/stop index 13a4b3d63..efdde6354 100644 --- a/postfix/proto/stop +++ b/postfix/proto/stop @@ -1590,3 +1590,4 @@ resychronization ENVID netcat probers +lf diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index aaca3c976..eff21250f 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -90,3 +90,6 @@ proto proto aliases proto virtual proto ADDRESS_REWRITING_README html keep reading message content after an unexpected LF LF forms Files proto postconf proto smtpd smtpd c CR LF CR CR LF File global smtp_stream c + CR LF CR CR LF There is no smuggling vulnerability + sequence mail systems send CR LF CR CR LF instead + global mail_params h cleanup cleanup c cleanup cleanup_message c diff --git a/postfix/proto/stop.double-install-proto-text b/postfix/proto/stop.double-install-proto-text index edccb2498..261e1cbbc 100644 --- a/postfix/proto/stop.double-install-proto-text +++ b/postfix/proto/stop.double-install-proto-text @@ -40,3 +40,4 @@ root root you user foo domain user domain domain virtual virtual alias domain anything right hand content does not matter skipping unexpected LF LF in DATA from +Inbound SMTP smuggling strip extra CR in CR LF CR CR LF diff --git a/postfix/src/cleanup/cleanup.c b/postfix/src/cleanup/cleanup.c index 99e5a592e..eac3c2538 100644 --- a/postfix/src/cleanup/cleanup.c +++ b/postfix/src/cleanup/cleanup.c @@ -147,6 +147,13 @@ /* .IP "\fBmessage_strip_characters (empty)\fR" /* The set of characters that Postfix will remove from message /* content. +/* .PP +/* Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14, +/* 3.5.24, and later: +/* .IP "\fBcleanup_replace_stray_cr_lf (yes)\fR" +/* Replace each stray or character in message +/* content with a space character, to prevent outbound SMTP smuggling, +/* and to make the evaluation of Postfix-added DKIM etc. /* BEFORE QUEUE MILTER CONTROLS /* .ad /* .fi diff --git a/postfix/src/cleanup/cleanup_init.c b/postfix/src/cleanup/cleanup_init.c index ddf64b288..446ddf2f9 100644 --- a/postfix/src/cleanup/cleanup_init.c +++ b/postfix/src/cleanup/cleanup_init.c @@ -175,6 +175,7 @@ int var_always_add_hdrs; /* always add missing headers */ int var_virt_addrlen_limit; /* stop exponential growth */ char *var_hfrom_format; /* header_from_format */ int var_force_mime_iconv; /* force mime downgrade on input */ +int var_cleanup_mask_stray_cr_lf; /* replace stray CR or LF with space */ const CONFIG_INT_TABLE cleanup_int_table[] = { VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0, @@ -192,6 +193,7 @@ const CONFIG_BOOL_TABLE cleanup_bool_table[] = { VAR_AUTO_8BIT_ENC_HDR, DEF_AUTO_8BIT_ENC_HDR, &var_auto_8bit_enc_hdr, VAR_ALWAYS_ADD_HDRS, DEF_ALWAYS_ADD_HDRS, &var_always_add_hdrs, VAR_FORCE_MIME_ICONV, DEF_FORCE_MIME_ICONV, &var_force_mime_iconv, + VAR_CLEANUP_MASK_STRAY_CR_LF, DEF_CLEANUP_MASK_STRAY_CR_LF, &var_cleanup_mask_stray_cr_lf, 0, }; diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c index bd951f344..0d31598c0 100644 --- a/postfix/src/cleanup/cleanup_message.c +++ b/postfix/src/cleanup/cleanup_message.c @@ -924,6 +924,23 @@ static void cleanup_message_headerbody(CLEANUP_STATE *state, int type, const char *cp; char *dst; + /* + * Replace each stray CR or LF with one space. These are not allowed in + * SMTP, and can be used to enable outbound (remote) SMTP smuggling. + * Replacing these early ensures that our later DKIM etc. signature will + * not be invalidated. Besides preventing SMTP smuggling, replacing stray + * or ensures that the result of signature validation by a + * later mail system will not depend on how that mail system handles + * those stray characters in an implementation-dependent manner. + * + * The input length is not changed, therefore it is safe to overwrite the + * input. + */ + if (var_cleanup_mask_stray_cr_lf) + for (dst = (char *) buf; dst < buf + len; dst++) + if (*dst == '\r' || *dst == '\n') + *dst = ' '; + /* * Reject unwanted characters. * diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index d21e5bfe0..1f03b0b34 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4314,6 +4314,10 @@ extern char *var_smtpd_dns_re_filter; #define VAR_SMTPD_FORBID_BARE_LF_CODE "smtpd_forbid_bare_newline_reject_code" #define DEF_SMTPD_FORBID_BARE_LF_CODE 550 +#define VAR_CLEANUP_MASK_STRAY_CR_LF "cleanup_replace_stray_cr_lf" +#define DEF_CLEANUP_MASK_STRAY_CR_LF 1 +extern int var_cleanup_mask_stray_cr_lf; + /* * Share TLS sessions through tlsproxy(8). */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index d11250180..7fbbb715d 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20240106" +#define MAIL_RELEASE_DATE "20240109" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT diff --git a/postfix/src/global/smtp_stream.c b/postfix/src/global/smtp_stream.c index 769b9c081..07cba37ad 100644 --- a/postfix/src/global/smtp_stream.c +++ b/postfix/src/global/smtp_stream.c @@ -54,7 +54,7 @@ /* va_list ap; /* /* int smtp_forbid_bare_lf; -/* int smtp_seen_bare_lf; +/* int smtp_detected_bare_lf; /* AUXILIARY API /* int smtp_get_noexcept(vp, stream, maxlen, flags) /* VSTRING *vp; @@ -136,15 +136,15 @@ /* smtp_get_noexcept() implements the subset of smtp_get() /* without timeouts and without making long jumps. Instead, /* query the stream status with vstream_feof() etc. -/* This function will set smtp_seen_bare_lf when flagging +/* This function will set smtp_detected_bare_lf when flagging /* input with a bare newline byte. /* /* smtp_timeout_setup() is a backwards-compatibility interface /* for programs that don't require deadline or data-rate support. /* /* smtp_forbid_bare_lf controls whether smtp_get_noexcept() -/* will set smtp_seen_bare_lf when the line that was read last -/* ended with a bare newline byte. +/* will set smtp_detected_bare_lf when the line that was read +/* last ended with a bare newline byte. /* DIAGNOSTICS /* .fi /* .ad @@ -224,7 +224,7 @@ * body content one line at a time. */ int smtp_forbid_bare_lf; -int smtp_seen_bare_lf; +int smtp_detected_bare_lf; /* smtp_timeout_reset - reset per-stream error flags */ @@ -387,7 +387,7 @@ int smtp_get_noexcept(VSTRING *vp, VSTREAM *stream, ssize_t bound, int flags int last_char; int next_char; - smtp_seen_bare_lf = 0; + smtp_detected_bare_lf = 0; /* * It's painful to do I/O with records that may span multiple buffers. @@ -433,7 +433,7 @@ int smtp_get_noexcept(VSTRING *vp, VSTREAM *stream, ssize_t bound, int flags vstring_truncate(vp, VSTRING_LEN(vp) - 1); if (smtp_forbid_bare_lf) { if (VSTRING_LEN(vp) == 0 || vstring_end(vp)[-1] != '\r') - smtp_seen_bare_lf = smtp_forbid_bare_lf; + smtp_detected_bare_lf = smtp_forbid_bare_lf; else vstring_truncate(vp, VSTRING_LEN(vp) - 1); } else { diff --git a/postfix/src/global/smtp_stream.h b/postfix/src/global/smtp_stream.h index 1a894685c..3e1f71108 100644 --- a/postfix/src/global/smtp_stream.h +++ b/postfix/src/global/smtp_stream.h @@ -44,7 +44,7 @@ extern void smtp_fwrite(const char *, ssize_t len, VSTREAM *); extern void smtp_fread_buf(VSTRING *, ssize_t len, VSTREAM *); extern void smtp_fputc(int, VSTREAM *); extern int smtp_forbid_bare_lf; -extern int smtp_seen_bare_lf; +extern int smtp_detected_bare_lf; extern void smtp_vprintf(VSTREAM *, const char *, va_list); diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 86c7c84d6..6c94c67be 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -3622,8 +3622,8 @@ static void receive_data_message(SMTPD_STATE *state, int curr_rec_type; int prev_rec_type; int first = 1; - int prev_seen_bare_lf = 0; - int expect_crlf_dot = IS_BARE_LF_REJECT(smtp_forbid_bare_lf); + int prev_detected_bare_lf = 0; + int require_crlf_dot_crlf = IS_BARE_LF_REJECT(smtp_forbid_bare_lf); /* * If deadlines are enabled, increase the time budget as message content @@ -3645,14 +3645,16 @@ static void receive_data_message(SMTPD_STATE *state, * because sendmail permits it. */ for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type, - expect_crlf_dot = (expect_crlf_dot || smtp_seen_bare_lf == 0), - prev_seen_bare_lf = smtp_seen_bare_lf) { + require_crlf_dot_crlf = (require_crlf_dot_crlf || + (IS_BARE_LF_NORMALIZE(smtp_forbid_bare_lf) + && smtp_detected_bare_lf == 0)), + prev_detected_bare_lf = smtp_detected_bare_lf) { if (smtp_get(state->buffer, state->client, var_line_limit, SMTP_GET_FLAG_NONE) == '\n') curr_rec_type = REC_TYPE_NORM; else curr_rec_type = REC_TYPE_CONT; - if (IS_BARE_LF_REJECT(smtp_seen_bare_lf)) + if (IS_BARE_LF_REJECT(smtp_detected_bare_lf)) state->err |= CLEANUP_STAT_BARE_LF; start = vstring_str(state->buffer); len = VSTRING_LEN(state->buffer); @@ -3667,8 +3669,8 @@ static void receive_data_message(SMTPD_STATE *state, out_record(out_stream, REC_TYPE_NORM, "", 0); } if (prev_rec_type != REC_TYPE_CONT && *start == '.') { - if (len == 1 && expect_crlf_dot - && (smtp_seen_bare_lf || prev_seen_bare_lf)) + if (len == 1 && require_crlf_dot_crlf + && (smtp_detected_bare_lf || prev_detected_bare_lf)) continue; if (proxy == 0 ? (++start, --len) == 0 : len == 1) break; @@ -4154,7 +4156,7 @@ static int bdat_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) /* Skip the out_record() and VSTRING_RESET() calls below. */ break; } - if (IS_BARE_LF_REJECT(smtp_seen_bare_lf)) + if (IS_BARE_LF_REJECT(smtp_detected_bare_lf)) state->err |= CLEANUP_STAT_BARE_LF; start = vstring_str(state->bdat_get_buffer); len = VSTRING_LEN(state->bdat_get_buffer); @@ -5851,7 +5853,7 @@ static void smtpd_proto(SMTPD_STATE *state) } watchdog_pat(); smtpd_chat_query(state); - if (IS_BARE_LF_REJECT(smtp_seen_bare_lf)) { + if (IS_BARE_LF_REJECT(smtp_detected_bare_lf)) { log_whatsup(state, "reject", "bare received"); state->error_mask |= MAIL_ERROR_PROTOCOL; smtpd_chat_reply(state, "%d 5.5.2 %s Error: bare received",