mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 05:07:58 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20240121

Browse Source
This commit is contained in:
Wietse Venema 2024-01-21 00:00:00 -05:00 committed by Viktor Dukhovni
parent 0d0d581a6d
commit c7bbf68093
8 changed files with 99 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
postfix/HISTORY
View File

@ -27721,12 +27721,13 @@ Apologies for any names omitted.
Reverted some changes after postfix-3.9-20240112, and updated
documentation.
20240118
20240121
Documentation: Microsoft uses BDAT to send content with
bare LF. This violates the canonical MIME format for text
messages as required in RFC 3030 section 3, and as defined
in RFC 2045 sections 2.7 and 2.8. Files: proto/postconf.proto,
Documentation: "smtpd_forbid_bare_newline = reject" will
reject email from services that use BDAT to send MIME text
containing a bare newline (RFC 3030 Section 3 requires
canonical MIME format for text message types, defined in
RFC 2045 Sections 2.7 and 2.8) Files: proto/postconf.proto,
RELEASE_NOTES.
Baseline for back porting the SMTP smuggling fixes to Postfix

89
postfix/RELEASE_NOTES
View File

@ -29,18 +29,19 @@ IPL can continue with that license.
Incompatibility with snapshot 20240110
=======================================
Outbound SMTP smuggling: with "cleanup_replace_stray_cr_lf = yes", the
cleanup daemon replaces each stray <CR> or <LF> character in message
content with a space character. The replacement happens before any other
content management.
- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup
daemon replaces each stray <CR> or <LF> character in message
content with a space character. The replacement happens before
any other content management (header/body_checks, Milters, etc).
This prevents outbound SMTP smuggling, where an attacker uses Postfix
to send email with a non-standard End-of-DATA sequence that exploits
inbound SMTP smuggling at a vulnerable SMTP server.
This prevents outbound SMTP smuggling, where an attacker uses
Postfix to send email containing a non-standard End-of-DATA
sequence, to exploit inbound SMTP smuggling at a vulnerable remote
SMTP server.
This also ensures that the evaluation of Postfix-added DKIM and
other signatures will not depend on how a remote mail server handles
stray <CR> or <LF> characters.
This also improves the remote evaluation of Postfix-added DKIM
and other signatures, as the evaluation result will not depend
on how a remote email server handles stray <CR> or <LF> characters.
This feature applies to all email that Postfix locally or remotely
sends out. It is not allowlisted based on client identity.
@ -53,25 +54,30 @@ background, see https://www.postfix.org/smtp-smuggling.html
This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24.
- Better compatibility: the recommended setting "smtpd_forbid_bare_newline
= normalize" requires the standard End-of-DATA sequence
<CR><LF>.<CR><LF>, but allows bare newlines from SMTP clients,
maintaining more compatibility with existing infrastructure.
- Improved logging for rejected input (it now includes queue ID,
helo, mail, and rcpt, if available).
- The new default "smtpd_forbid_bare_newline = normalize"
requires the standard End-of-DATA sequence <CR><LF>.<CR><LF>, and
allows bare newlines from SMTP clients, maintaining more compatibility
with infrastructure tools such as probers and surveys.
- The setting "smtpd_forbid_bare_newline = reject" requires
that input lines end in <CR><LF>, requires the standard End-of-DATA
sequence <CR><LF>.<CR><LF>, and rejects a command or message that
contains a bare newline. To disconnect the client, specify
"smtpd_forbid_bare_newline_reject_code = 521".
- The new setting "smtpd_forbid_bare_newline = reject" requires
that input lines end in <CR><LF>, requires the standard
End-of-DATA sequence <CR><LF>.<CR><LF>, and rejects a command or
message that contains a bare newline. To disconnect the client,
specify "smtpd_forbid_bare_newline_reject_code = 521".
- The Postfix SMTP server no longer strips extra <CR> as in
<CR><LF>.<CR><CR><LF>, to silence false alarms from test tools
that send attack sequences that real mail servers cannot send.
Details at https://www.postfix.org/false-smuggling-claims.html
- The old setting "yes" has become an alias for "normalize".
- The old setting "no" has not changed, and allows SMTP smuggling.
The recommended Postfix 3.9 settings (i.e. the defaults) are now:
The recommended settings are now:
# Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
# Otherwise, allow bare <LF> and process it as if the client sent
@ -99,10 +105,10 @@ Alternative settings:
# line endings such as web applications, netcat, or load balancer
# health checks.
#
# This will also reject some email from Microsoft services whose
# BDAT implementations violate the canonical MIME format for text
# messages required in RFC 3030 Section 3, and defined in RFC 2045
# Sections 2.7 and 2.8.
# This will also reject email from services that use BDAT to send
# MIME text containing a bare newline (RFC 3030 Section 3 requires
# canonical MIME format for text message types, defined in RFC 2045
# Sections 2.7 and 2.8).
#
# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
# The example below allowlists SMTP clients in trusted networks.
@ -114,40 +120,11 @@ Alternative settings:
# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
# disabled with smtpd_discard_ehlo_keywords.
#
# smtpd_discard_ehlo_keyword_address_maps =
# cidr:{{10.0.0.1/24 chunking, silent-discard}}
# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
# /path/to/file:
# 10.0.0.0/24 chunking, silent-discard
# smtpd_discard_ehlo_keywords = chunking, silent-discard
Major changes with snapshot 20240106
====================================
Inbound SMTP smuggling: don't strip extra <CR> in <CR><LF>.<CR><CR><LF>,
to silence test tools that send attack sequences that are not viable.
Details at https://www.postfix.org/false-smuggling-claims.html
Incompatible changes with snapshot 20231221
===========================================
Postfix 3.9 by default disconnects a client that sends a 'bare
newline' ending in SMTP. This prevents an SMTP smuggling attack
that targets recipients at a Postfix server. For background,
see https://www.postfix.org/smtp-smuggling.html
For compatibility with non-standard clients, Postfix 3.9 by default
excludes clients in mynetworks from this countermeasure.
The Postfix 3.9 default settings are:
# Disconnect remote SMTP clients that send bare newlines, but
# allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
This feature is back-ported to all supported stable releases, with
the difference that "smtpd_forbid_bare_newline = no" by default.
Incompatible changes with snapshot 20230903
===========================================

35
postfix/html/postconf.5.html
View File

@ -15969,7 +15969,8 @@ SMTP smuggling</a>. </p>
<dl compact>
<dt> <b>normalize</b> (default)</dt> <dd> Require the standard
<dt> <b>normalize</b> (default for Postfix &ge; 3.9) </dt>
<dd> Require the standard
End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
Otherwise, allow command or message content lines ending in the
non-standard &lt;LF&gt;, and process them as if the client sent the
@ -15990,16 +15991,17 @@ or message content when a line contains bare &lt;LF&gt;, log a "bare
$<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>. <br> <br> This will reject
email from SMTP clients that send any non-standard line endings
such as web applications, netcat, or load balancer health checks.
<br> <br> This will also reject some email from Microsoft services
whose BDAT implementations violate the canonical MIME format for
text messages required in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3, and defined in <a href="https://tools.ietf.org/html/rfc2045">RFC</a>
<a href="https://tools.ietf.org/html/rfc2045">2045</a> Sections 2.7 and 2.8. <br> <br> Such clients can be excluded
with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> (or, in the case of BDAT
violations, BDAT can be selectively disabled with
<br> <br> This will also reject email from services that use BDAT
to send MIME text containing a bare newline (<a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3
requires canonical MIME format for text message types, defined in
<a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> Sections 2.7 and 2.8). <br> <br> Such clients can be
excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> (or, in the case
of BDAT violations, BDAT can be selectively disabled with
<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with
<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd>
<dt> <b>no</b> </dt> <dd> Do not require the standard End-of-DATA
<dt> <b>no</b> (default for Postfix &lt; 3.9) </dt>
<dd> Do not require the standard End-of-DATA
sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Always process
a bare &lt;LF&gt; as if the client sent &lt;CR&gt;&lt;LF&gt;. This
option is fully backwards compatible, but is not recommended for
@ -16009,7 +16011,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
</dl>
<p> Example 1: </p>
<p> Recommended settings: </p>
<blockquote>
<pre>
@ -16031,7 +16033,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
</pre>
</blockquote>
<p> Example 2: </p>
<p> Alternative: </p>
<blockquote>
<pre>
@ -16043,10 +16045,10 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
# line endings such as web applications, netcat, or load balancer
# health checks.
#
# This will also reject some email from Microsoft services whose
# BDAT implementations violate the canonical MIME format for text
# messages required in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3, and defined in <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>
# Sections 2.7 and 2.8.
# This will also reject email from services that use BDAT to send
# MIME text containing a bare newline (<a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3 requires
# canonical MIME format for text message types, defined in <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>
# Sections 2.7 and 2.8).
#
# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
# The example below allowlists SMTP clients in trusted networks.
@ -16058,8 +16060,9 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally
# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>.
#
# <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> =
# <a href="cidr_table.5.html">cidr</a>:{{10.0.0.1/24 chunking, silent-discard}}
# <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> = <a href="cidr_table.5.html">cidr</a>:/path/to/file
# /path/to/file:
# 10.0.0.0/24 chunking, silent-discard
# <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent-discard
</pre>
</blockquote>

35
postfix/man/man5/postconf.5
View File

@ -11038,7 +11038,7 @@ vulnerable to
SMTP smuggling.
.PP
Specify one of the following values (case does not matter):
.IP "\fBnormalize\fR (default)"
.IP "\fBnormalize\fR (default for Postfix >= 3.9)"
Require the standard
End\-of\-DATA sequence <CR><LF>.<CR><LF>.
Otherwise, allow command or message content lines ending in the
@ -11073,19 +11073,19 @@ email from SMTP clients that send any non\-standard line endings
such as web applications, netcat, or load balancer health checks.
.br
.br
This will also reject some email from Microsoft services
whose BDAT implementations violate the canonical MIME format for
text messages required in RFC 3030 Section 3, and defined in RFC
2045 Sections 2.7 and 2.8.
This will also reject email from services that use BDAT
to send MIME text containing a bare newline (RFC 3030 Section 3
requires canonical MIME format for text message types, defined in
RFC 2045 Sections 2.7 and 2.8).
.br
.br
Such clients can be excluded
with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT
violations, BDAT can be selectively disabled with
Such clients can be
excluded with smtpd_forbid_bare_newline_exclusions (or, in the case
of BDAT violations, BDAT can be selectively disabled with
smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
smtpd_discard_ehlo_keywords).
.br
.IP "\fBno\fR"
.IP "\fBno\fR (default for Postfix < 3.9)"
Do not require the standard End\-of\-DATA
sequence <CR><LF>.<CR><LF>. Always process
a bare <LF> as if the client sent <CR><LF>. This
@ -11094,7 +11094,7 @@ an Internet\-facing SMTP server, because it is vulnerable to SMTP smuggling.
.br
.br
.PP
Example 1:
Recommended settings:
.sp
.in +4
.nf
@ -11120,7 +11120,7 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
.ft R
.in -4
.PP
Example 2:
Alternative:
.sp
.in +4
.nf
@ -11134,10 +11134,10 @@ Example 2:
# line endings such as web applications, netcat, or load balancer
# health checks.
#
# This will also reject some email from Microsoft services whose
# BDAT implementations violate the canonical MIME format for text
# messages required in RFC 3030 Section 3, and defined in RFC 2045
# Sections 2.7 and 2.8.
# This will also reject email from services that use BDAT to send
# MIME text containing a bare newline (RFC 3030 Section 3 requires
# canonical MIME format for text message types, defined in RFC 2045
# Sections 2.7 and 2.8).
#
# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
# The example below allowlists SMTP clients in trusted networks.
@ -11149,8 +11149,9 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
# disabled with smtpd_discard_ehlo_keywords.
#
# smtpd_discard_ehlo_keyword_address_maps =
# cidr:{{10.0.0.1/24 chunking, silent\-discard}}
# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
# /path/to/file:
# 10.0.0.0/24 chunking, silent\-discard
# smtpd_discard_ehlo_keywords = chunking, silent\-discard
.fi
.ad

35
postfix/proto/postconf.proto
View File

@ -19068,7 +19068,8 @@ SMTP smuggling</a>. </p>
<dl compact>
<dt> <b>normalize</b> (default)</dt> <dd> Require the standard
<dt> <b>normalize</b> (default for Postfix &ge; 3.9) </dt>
<dd> Require the standard
End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
Otherwise, allow command or message content lines ending in the
non-standard &lt;LF&gt;, and process them as if the client sent the
@ -19089,16 +19090,17 @@ or message content when a line contains bare &lt;LF&gt;, log a "bare
$smtpd_forbid_bare_newline_reject_code. <br> <br> This will reject
email from SMTP clients that send any non-standard line endings
such as web applications, netcat, or load balancer health checks.
<br> <br> This will also reject some email from Microsoft services
whose BDAT implementations violate the canonical MIME format for
text messages required in RFC 3030 Section 3, and defined in RFC
2045 Sections 2.7 and 2.8. <br> <br> Such clients can be excluded
with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT
violations, BDAT can be selectively disabled with
<br> <br> This will also reject email from services that use BDAT
to send MIME text containing a bare newline (RFC 3030 Section 3
requires canonical MIME format for text message types, defined in
RFC 2045 Sections 2.7 and 2.8). <br> <br> Such clients can be
excluded with smtpd_forbid_bare_newline_exclusions (or, in the case
of BDAT violations, BDAT can be selectively disabled with
smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
smtpd_discard_ehlo_keywords). </dd>
<dt> <b>no</b> </dt> <dd> Do not require the standard End-of-DATA
<dt> <b>no</b> (default for Postfix &lt; 3.9) </dt>
<dd> Do not require the standard End-of-DATA
sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Always process
a bare &lt;LF&gt; as if the client sent &lt;CR&gt;&lt;LF&gt;. This
option is fully backwards compatible, but is not recommended for
@ -19108,7 +19110,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
</dl>
<p> Example 1: </p>
<p> Recommended settings: </p>
<blockquote>
<pre>
@ -19130,7 +19132,7 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
<p> Example 2: </p>
<p> Alternative: </p>
<blockquote>
<pre>
@ -19142,10 +19144,10 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
# line endings such as web applications, netcat, or load balancer
# health checks.
#
# This will also reject some email from Microsoft services whose
# BDAT implementations violate the canonical MIME format for text
# messages required in RFC 3030 Section 3, and defined in RFC 2045
# Sections 2.7 and 2.8.
# This will also reject email from services that use BDAT to send
# MIME text containing a bare newline (RFC 3030 Section 3 requires
# canonical MIME format for text message types, defined in RFC 2045
# Sections 2.7 and 2.8).
#
# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
# The example below allowlists SMTP clients in trusted networks.
@ -19157,8 +19159,9 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
# disabled with smtpd_discard_ehlo_keywords.
#
# smtpd_discard_ehlo_keyword_address_maps =
# cidr:{{10.0.0.1/24 chunking, silent-discard}}
# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
# /path/to/file:
# 10.0.0.0/24 chunking, silent-discard
# smtpd_discard_ehlo_keywords = chunking, silent-discard
</pre>
</blockquote>

1
postfix/proto/stop.double-install-proto-text
View File

@ -42,3 +42,4 @@ virtual virtual alias domain anything right hand content does not matter
skipping unexpected LF LF in DATA from
Inbound SMTP smuggling strip extra CR in CR LF CR CR LF
Inbound SMTP smuggling don t strip extra CR in CR LF CR CR LF
CR LF CR CR LF to silence false alarms from test tools

2
postfix/proto/stop.double-proto-html
View File

@ -350,3 +350,5 @@ standard lt CR gt lt LF gt br br This maintains compatibility
smtpd_forbid_bare_newline_reject_code br br This will reject
br br This will also reject some email from Microsoft services
2045 Sections 2 7 and 2 8 br br Such clients can be excluded
br br This will also reject email from services that use BDAT
RFC 2045 Sections 2 7 and 2 8 br br Such clients can be

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20240118"
#define MAIL_RELEASE_DATE "20240121"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT