mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20240109

Browse Source
This commit is contained in:
Wietse Venema 2024-01-09 00:00:00 -05:00 committed by Viktor Dukhovni
parent bcca0a3523
commit b66973a3c4
19 changed files with 285 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
postfix/HISTORY
View File

@ -27681,7 +27681,24 @@ Apologies for any names omitted.
20240106
Bugfix: with smtpd_forbid_bare_newline enabled, do not
"strip" extra <CR> characters before <LF>. This avoids
Inbound smuggling: with smtpd_forbid_bare_newline enabled,
do not "strip" extra <CR> characters before <LF>. This avoids
ambiguity when a client sends extra <CR> characters as in
<CR><LF>.<CR><CR><LF>. File: global/smtp_stream.c.
<CR><LF>.<CR><CR><LF>. There is no smuggling vulnerability
because there is no mail system will send the above
sequence (mail systems send <CR><LF>..<CR><CR><LF> instead).
But this change will silence some testing tools. More at
https://www.postfix.org/false-smuggling-claims.html. File:
global/smtp_stream.c.
20240109
Outbound smuggling: with "cleanup_replace_stray_cr_lf =
yes" (the default) Postfix will replace stray <CR> or <LF>
characters in message content with a space character. This
prevents Postfix from enabling outbound (remote) SMTP
smuggling, and it also makes evaluation of Postfix-added
DKIM etc. signatures independent from how a remote mail
server handles stray <CR> or <LF> characters. Files:
global/mail_params.h, cleanup/cleanup.c, cleanup/cleanup_message.c,
mantools/postlink, proto/postconf.proto.

30
postfix/RELEASE_NOTES
View File

@ -26,6 +26,32 @@ now also distributed with the more recent Eclipse Public License
license of their choice. Those who are more comfortable with the
IPL can continue with that license.
Incompatibility with snapshot 20240109
=======================================
Outbound SMTP smuggling: with "cleanup_replace_stray_cr_lf = yes", the
cleanup daemon replaces each stray <CR> or <LF> character in message
content with a space character. The replacement happens before any other
content management.
This prevents outbound SMTP smuggling, where an attacker uses Postfix
to send a non-standard End-of-DATA sequence that triggers inbound
SMTP smuggling at a remote SMTP server.
This also ensures that the evaluation of Postfix-added DKIM etc.
signatures will not depend on how a remote mail server handles stray <CR>
or <LF> characters.
This feature applies to all email that Postfix locally or remotely
out. It is not allowlisted based on client identity.
Major changes with snapshot 20240106
====================================
Inbound SMTP smuggling: strip extra <CR> in <CR><LF>.<CR><CR><LF>,
to silence some tools that send attack sequences that are not viable.
Details at https://www.postfix.org/false-smuggling-claims.html
Major changes with snapshot 20240102
====================================
@ -36,10 +62,6 @@ This release improves configuration (see below) and logging for rejected
input (it now includes helo, mail, and rcpt information if available).
This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24.
- Stricter enforcement of <CR><LF>.<CR><LF>; earlier versions ignored
extra <CR> before <LF>, causing ambiguity about what the client
actually sent.
- The new setting "smtpd_forbid_bare_newline = normalize" allows
bare newlines from local and remote SMTP clients that send bare
newlines consistently, and maintains more compatibility with

8
postfix/html/cleanup.8.html
View File

@ -160,6 +160,14 @@ CLEANUP(8) CLEANUP(8)
The set of characters that Postfix will remove from message con-
tent.
Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24, and
later:
<b><a href="postconf.5.html#cleanup_replace_stray_cr_lf">cleanup_replace_stray_cr_lf</a> (yes)</b>
Replace each stray &lt;CR&gt; or &lt;LF&gt; character in message content
with a space character, to prevent outbound SMTP smuggling, and
to make the evaluation of Postfix-added DKIM etc.
<b>BEFORE QUEUE MILTER CONTROLS</b>
As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
filter) protocol. When mail is not received via the <a href="smtpd.8.html">smtpd(8)</a> server,

34
postfix/html/postconf.5.html
View File

@ -1469,6 +1469,40 @@ Examples:
</pre>
</DD>
<DT><b><a name="cleanup_replace_stray_cr_lf">cleanup_replace_stray_cr_lf</a>
(default: yes)</b></DT><DD>
<p> Replace each stray &lt;CR&gt; or &lt;LF&gt; character in message
content with a space character, to prevent outbound SMTP smuggling,
and to make the evaluation of Postfix-added DKIM etc. signatures
independent from how a remote mail server handles such characters.
</p>
<p> SMTP does not allow such characters unless they are part of a
&lt;CR&gt;&lt;LF&gt; sequence, and different mail systems handle
such stray characters in an implementation-dependent manner. Stray
&lt;CR&gt; or &lt;LF&gt; characters could be used for outbound
SMTP smuggling, where an attacker uses a Postfix server to send
message content with a non-standard End-of-DATA sequence that
triggers inbound SMTP smuggling at a remote SMTP server.</p>
<p> The replacement happens before all other content management,
and before Postfix may add a DKIM etc. signature; if the signature
were created first, the replacement could invalidate the signature.
</p>
<p> In addition to preventing SMTP smuggling, replacing stray
&lt;CR&gt; or &lt;LF&gt; characters ensures that the result of
signature validation by later mail system will not depend on how
that mail system handles those stray characters in an
implementation-dependent manner. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.5, 3.7.10,
3.6.14, and 3.5.24. </p>
</DD>
<DT><b><a name="cleanup_service_name">cleanup_service_name</a>

26
postfix/man/man5/postconf.5
View File

@ -883,6 +883,32 @@ canonical_maps = hash:/etc/postfix/canonical
.fi
.ad
.ft R
.SH cleanup_replace_stray_cr_lf (default: yes)
Replace each stray <CR> or <LF> character in message
content with a space character, to prevent outbound SMTP smuggling,
and to make the evaluation of Postfix\-added DKIM etc. signatures
independent from how a remote mail server handles such characters.
.PP
SMTP does not allow such characters unless they are part of a
<CR><LF> sequence, and different mail systems handle
such stray characters in an implementation\-dependent manner. Stray
<CR> or <LF> characters could be used for outbound
SMTP smuggling, where an attacker uses a Postfix server to send
message content with a non\-standard End\-of\-DATA sequence that
triggers inbound SMTP smuggling at a remote SMTP server.
.PP
The replacement happens before all other content management,
and before Postfix may add a DKIM etc. signature; if the signature
were created first, the replacement could invalidate the signature.
.PP
In addition to preventing SMTP smuggling, replacing stray
<CR> or <LF> characters ensures that the result of
signature validation by later mail system will not depend on how
that mail system handles those stray characters in an
implementation\-dependent manner.
.PP
This feature is available in Postfix >= 3.9, 3.8.5, 3.7.10,
3.6.14, and 3.5.24.
.SH cleanup_service_name (default: cleanup)
The name of the \fBcleanup\fR(8) service. This service rewrites addresses
into the standard form, and performs \fBcanonical\fR(5) address mapping

7
postfix/man/man8/cleanup.8
View File

@ -165,6 +165,13 @@ content.
.IP "\fBmessage_strip_characters (empty)\fR"
The set of characters that Postfix will remove from message
content.
.PP
Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14,
3.5.24, and later:
.IP "\fBcleanup_replace_stray_cr_lf (yes)\fR"
Replace each stray <CR> or <LF> character in message
content with a space character, to prevent outbound SMTP smuggling,
and to make the evaluation of Postfix\-added DKIM etc.
.SH "BEFORE QUEUE MILTER CONTROLS"
.na
.nf

1
postfix/mantools/postlink
View File

@ -564,6 +564,7 @@ while (<>) {
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline_reject_code\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline_exclusions\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">$&</a>;g;
s;\bcleanup_replace_stray_cr_lf\b;<a href="postconf.5.html#cleanup_replace_stray_cr_lf">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;

52
postfix/proto/postconf.proto
View File

@ -11240,17 +11240,6 @@ is rejected by the <b>reject_plaintext_session</b> restriction.
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtpd_forbid_bare_newline_reject_code 550
<p>
The numerical Postfix SMTP server response code when a request
is rejected by the <b>smtpd_forbid_bare_newline</b> feature.
Specify a 5XX status code (521 to disconnect).
</p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.5, 3.7.10,
3.6.14, and 3.5.24. </p>
%PARAM resolve_numeric_domain no
<p> Resolve "user@ipaddress" as "user@[ipaddress]", instead of
@ -19158,6 +19147,47 @@ behavior as mynetworks. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
%PARAM smtpd_forbid_bare_newline_reject_code 550
<p>
The numerical Postfix SMTP server response code when a request
is rejected by the <b>smtpd_forbid_bare_newline</b> feature.
Specify a 5XX status code (521 to disconnect).
</p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.5, 3.7.10,
3.6.14, and 3.5.24. </p>
%PARAM cleanup_replace_stray_cr_lf yes
<p> Replace each stray &lt;CR&gt; or &lt;LF&gt; character in message
content with a space character, to prevent outbound SMTP smuggling,
and to make the evaluation of Postfix-added DKIM etc. signatures
independent from how a remote mail server handles such characters.
</p>
<p> SMTP does not allow such characters unless they are part of a
&lt;CR&gt;&lt;LF&gt; sequence, and different mail systems handle
such stray characters in an implementation-dependent manner. Stray
&lt;CR&gt; or &lt;LF&gt; characters could be used for outbound
SMTP smuggling, where an attacker uses a Postfix server to send
message content with a non-standard End-of-DATA sequence that
triggers inbound SMTP smuggling at a remote SMTP server.</p>
<p> The replacement happens before all other content management,
and before Postfix may add a DKIM etc. signature; if the signature
were created first, the replacement could invalidate the signature.
</p>
<p> In addition to preventing SMTP smuggling, replacing stray
&lt;CR&gt; or &lt;LF&gt; characters ensures that the result of
signature validation by later mail system will not depend on how
that mail system handles those stray characters in an
implementation-dependent manner. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.5, 3.7.10,
3.6.14, and 3.5.24. </p>
%PARAM smtpd_forbid_unauth_pipelining Postfix &ge; 3.9: yes
<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321)

1
postfix/proto/stop
View File

@ -1590,3 +1590,4 @@ resychronization
ENVID
netcat
probers
lf

3
postfix/proto/stop.double-history
View File

@ -90,3 +90,6 @@ proto proto aliases proto virtual proto ADDRESS_REWRITING_README html
keep reading message content after an unexpected LF LF
forms Files proto postconf proto smtpd smtpd c
CR LF CR CR LF File global smtp_stream c
CR LF CR CR LF There is no smuggling vulnerability
sequence mail systems send CR LF CR CR LF instead
global mail_params h cleanup cleanup c cleanup cleanup_message c

1
postfix/proto/stop.double-install-proto-text
View File

@ -40,3 +40,4 @@ root root you
user foo domain user domain domain
virtual virtual alias domain anything right hand content does not matter
skipping unexpected LF LF in DATA from
Inbound SMTP smuggling strip extra CR in CR LF CR CR LF

7
postfix/src/cleanup/cleanup.c
View File

@ -147,6 +147,13 @@
/* .IP "\fBmessage_strip_characters (empty)\fR"
/* The set of characters that Postfix will remove from message
/* content.
/* .PP
/* Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14,
/* 3.5.24, and later:
/* .IP "\fBcleanup_replace_stray_cr_lf (yes)\fR"
/* Replace each stray <CR> or <LF> character in message
/* content with a space character, to prevent outbound SMTP smuggling,
/* and to make the evaluation of Postfix-added DKIM etc.
/* BEFORE QUEUE MILTER CONTROLS
/* .ad
/* .fi

2
postfix/src/cleanup/cleanup_init.c
View File

@ -175,6 +175,7 @@ int var_always_add_hdrs; /* always add missing headers */
int var_virt_addrlen_limit; /* stop exponential growth */
char *var_hfrom_format; /* header_from_format */
int var_force_mime_iconv; /* force mime downgrade on input */
int var_cleanup_mask_stray_cr_lf; /* replace stray CR or LF with space */
const CONFIG_INT_TABLE cleanup_int_table[] = {
VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0,
@ -192,6 +193,7 @@ const CONFIG_BOOL_TABLE cleanup_bool_table[] = {
VAR_AUTO_8BIT_ENC_HDR, DEF_AUTO_8BIT_ENC_HDR, &var_auto_8bit_enc_hdr,
VAR_ALWAYS_ADD_HDRS, DEF_ALWAYS_ADD_HDRS, &var_always_add_hdrs,
VAR_FORCE_MIME_ICONV, DEF_FORCE_MIME_ICONV, &var_force_mime_iconv,
VAR_CLEANUP_MASK_STRAY_CR_LF, DEF_CLEANUP_MASK_STRAY_CR_LF, &var_cleanup_mask_stray_cr_lf,
0,
};

17
postfix/src/cleanup/cleanup_message.c
View File

@ -924,6 +924,23 @@ static void cleanup_message_headerbody(CLEANUP_STATE *state, int type,
const char *cp;
char *dst;
/*
* Replace each stray CR or LF with one space. These are not allowed in
* SMTP, and can be used to enable outbound (remote) SMTP smuggling.
* Replacing these early ensures that our later DKIM etc. signature will
* not be invalidated. Besides preventing SMTP smuggling, replacing stray
* <CR> or <LF> ensures that the result of signature validation by a
* later mail system will not depend on how that mail system handles
* those stray characters in an implementation-dependent manner.
*
* The input length is not changed, therefore it is safe to overwrite the
* input.
*/
if (var_cleanup_mask_stray_cr_lf)
for (dst = (char *) buf; dst < buf + len; dst++)
if (*dst == '\r' || *dst == '\n')
*dst = ' ';
/*
* Reject unwanted characters.
*

4
postfix/src/global/mail_params.h
View File

@ -4314,6 +4314,10 @@ extern char *var_smtpd_dns_re_filter;
#define VAR_SMTPD_FORBID_BARE_LF_CODE "smtpd_forbid_bare_newline_reject_code"
#define DEF_SMTPD_FORBID_BARE_LF_CODE 550
#define VAR_CLEANUP_MASK_STRAY_CR_LF "cleanup_replace_stray_cr_lf"
#define DEF_CLEANUP_MASK_STRAY_CR_LF 1
extern int var_cleanup_mask_stray_cr_lf;
/*
* Share TLS sessions through tlsproxy(8).
*/

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20240106"
#define MAIL_RELEASE_DATE "20240109"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT

14
postfix/src/global/smtp_stream.c
View File

@ -54,7 +54,7 @@
/* va_list ap;
/*
/* int smtp_forbid_bare_lf;
/* int smtp_seen_bare_lf;
/* int smtp_detected_bare_lf;
/* AUXILIARY API
/* int smtp_get_noexcept(vp, stream, maxlen, flags)
/* VSTRING *vp;
@ -136,15 +136,15 @@
/* smtp_get_noexcept() implements the subset of smtp_get()
/* without timeouts and without making long jumps. Instead,
/* query the stream status with vstream_feof() etc.
/* This function will set smtp_seen_bare_lf when flagging
/* This function will set smtp_detected_bare_lf when flagging
/* input with a bare newline byte.
/*
/* smtp_timeout_setup() is a backwards-compatibility interface
/* for programs that don't require deadline or data-rate support.
/*
/* smtp_forbid_bare_lf controls whether smtp_get_noexcept()
/* will set smtp_seen_bare_lf when the line that was read last
/* ended with a bare newline byte.
/* will set smtp_detected_bare_lf when the line that was read
/* last ended with a bare newline byte.
/* DIAGNOSTICS
/* .fi
/* .ad
@ -224,7 +224,7 @@
* body content one line at a time.
*/
int smtp_forbid_bare_lf;
int smtp_seen_bare_lf;
int smtp_detected_bare_lf;
/* smtp_timeout_reset - reset per-stream error flags */
@ -387,7 +387,7 @@ int smtp_get_noexcept(VSTRING *vp, VSTREAM *stream, ssize_t bound, int flags
int last_char;
int next_char;
smtp_seen_bare_lf = 0;
smtp_detected_bare_lf = 0;
/*
* It's painful to do I/O with records that may span multiple buffers.
@ -433,7 +433,7 @@ int smtp_get_noexcept(VSTRING *vp, VSTREAM *stream, ssize_t bound, int flags
vstring_truncate(vp, VSTRING_LEN(vp) - 1);
if (smtp_forbid_bare_lf) {
if (VSTRING_LEN(vp) == 0 || vstring_end(vp)[-1] != '\r')
smtp_seen_bare_lf = smtp_forbid_bare_lf;
smtp_detected_bare_lf = smtp_forbid_bare_lf;
else
vstring_truncate(vp, VSTRING_LEN(vp) - 1);
} else {

2
postfix/src/global/smtp_stream.h
View File

@ -44,7 +44,7 @@ extern void smtp_fwrite(const char *, ssize_t len, VSTREAM *);
extern void smtp_fread_buf(VSTRING *, ssize_t len, VSTREAM *);
extern void smtp_fputc(int, VSTREAM *);
extern int smtp_forbid_bare_lf;
extern int smtp_seen_bare_lf;
extern int smtp_detected_bare_lf;
extern void smtp_vprintf(VSTREAM *, const char *, va_list);

20
postfix/src/smtpd/smtpd.c
View File

@ -3622,8 +3622,8 @@ static void receive_data_message(SMTPD_STATE *state,
int curr_rec_type;
int prev_rec_type;
int first = 1;
int prev_seen_bare_lf = 0;
int expect_crlf_dot = IS_BARE_LF_REJECT(smtp_forbid_bare_lf);
int prev_detected_bare_lf = 0;
int require_crlf_dot_crlf = IS_BARE_LF_REJECT(smtp_forbid_bare_lf);
/*
* If deadlines are enabled, increase the time budget as message content
@ -3645,14 +3645,16 @@ static void receive_data_message(SMTPD_STATE *state,
* because sendmail permits it.
*/
for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type,
expect_crlf_dot = (expect_crlf_dot || smtp_seen_bare_lf == 0),
prev_seen_bare_lf = smtp_seen_bare_lf) {
require_crlf_dot_crlf = (require_crlf_dot_crlf ||
(IS_BARE_LF_NORMALIZE(smtp_forbid_bare_lf)
&& smtp_detected_bare_lf == 0)),
prev_detected_bare_lf = smtp_detected_bare_lf) {
if (smtp_get(state->buffer, state->client, var_line_limit,
SMTP_GET_FLAG_NONE) == '\n')
curr_rec_type = REC_TYPE_NORM;
else
curr_rec_type = REC_TYPE_CONT;
if (IS_BARE_LF_REJECT(smtp_seen_bare_lf))
if (IS_BARE_LF_REJECT(smtp_detected_bare_lf))
state->err |= CLEANUP_STAT_BARE_LF;
start = vstring_str(state->buffer);
len = VSTRING_LEN(state->buffer);
@ -3667,8 +3669,8 @@ static void receive_data_message(SMTPD_STATE *state,
out_record(out_stream, REC_TYPE_NORM, "", 0);
}
if (prev_rec_type != REC_TYPE_CONT && *start == '.') {
if (len == 1 && expect_crlf_dot
&& (smtp_seen_bare_lf || prev_seen_bare_lf))
if (len == 1 && require_crlf_dot_crlf
&& (smtp_detected_bare_lf || prev_detected_bare_lf))
continue;
if (proxy == 0 ? (++start, --len) == 0 : len == 1)
break;
@ -4154,7 +4156,7 @@ static int bdat_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
/* Skip the out_record() and VSTRING_RESET() calls below. */
break;
}
if (IS_BARE_LF_REJECT(smtp_seen_bare_lf))
if (IS_BARE_LF_REJECT(smtp_detected_bare_lf))
state->err |= CLEANUP_STAT_BARE_LF;
start = vstring_str(state->bdat_get_buffer);
len = VSTRING_LEN(state->bdat_get_buffer);
@ -5851,7 +5853,7 @@ static void smtpd_proto(SMTPD_STATE *state)
}
watchdog_pat();
smtpd_chat_query(state);
if (IS_BARE_LF_REJECT(smtp_seen_bare_lf)) {
if (IS_BARE_LF_REJECT(smtp_detected_bare_lf)) {
log_whatsup(state, "reject", "bare <LF> received");
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "%d 5.5.2 %s Error: bare <LF> received",