diff --git a/postfix/HISTORY b/postfix/HISTORY index 059274b52..1c7569cb4 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27721,12 +27721,13 @@ Apologies for any names omitted. Reverted some changes after postfix-3.9-20240112, and updated documentation. -20240118 +20240121 - Documentation: Microsoft uses BDAT to send content with - bare LF. This violates the canonical MIME format for text - messages as required in RFC 3030 section 3, and as defined - in RFC 2045 sections 2.7 and 2.8. Files: proto/postconf.proto, + Documentation: "smtpd_forbid_bare_newline = reject" will + reject email from services that use BDAT to send MIME text + containing a bare newline (RFC 3030 Section 3 requires + canonical MIME format for text message types, defined in + RFC 2045 Sections 2.7 and 2.8) Files: proto/postconf.proto, RELEASE_NOTES. Baseline for back porting the SMTP smuggling fixes to Postfix diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index c2529bc9b..12b190f24 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -29,18 +29,19 @@ IPL can continue with that license. Incompatibility with snapshot 20240110 ======================================= -Outbound SMTP smuggling: with "cleanup_replace_stray_cr_lf = yes", the -cleanup daemon replaces each stray or character in message -content with a space character. The replacement happens before any other -content management. +- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup + daemon replaces each stray or character in message + content with a space character. The replacement happens before + any other content management (header/body_checks, Milters, etc). -This prevents outbound SMTP smuggling, where an attacker uses Postfix -to send email with a non-standard End-of-DATA sequence that exploits -inbound SMTP smuggling at a vulnerable SMTP server. + This prevents outbound SMTP smuggling, where an attacker uses + Postfix to send email containing a non-standard End-of-DATA + sequence, to exploit inbound SMTP smuggling at a vulnerable remote + SMTP server. -This also ensures that the evaluation of Postfix-added DKIM and -other signatures will not depend on how a remote mail server handles -stray or characters. + This also improves the remote evaluation of Postfix-added DKIM + and other signatures, as the evaluation result will not depend + on how a remote email server handles stray or characters. This feature applies to all email that Postfix locally or remotely sends out. It is not allowlisted based on client identity. @@ -53,25 +54,30 @@ background, see https://www.postfix.org/smtp-smuggling.html This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24. +- Better compatibility: the recommended setting "smtpd_forbid_bare_newline + = normalize" requires the standard End-of-DATA sequence + ., but allows bare newlines from SMTP clients, + maintaining more compatibility with existing infrastructure. + - Improved logging for rejected input (it now includes queue ID, helo, mail, and rcpt, if available). -- The new default "smtpd_forbid_bare_newline = normalize" - requires the standard End-of-DATA sequence ., and - allows bare newlines from SMTP clients, maintaining more compatibility - with infrastructure tools such as probers and surveys. +- The setting "smtpd_forbid_bare_newline = reject" requires + that input lines end in , requires the standard End-of-DATA + sequence ., and rejects a command or message that + contains a bare newline. To disconnect the client, specify + "smtpd_forbid_bare_newline_reject_code = 521". -- The new setting "smtpd_forbid_bare_newline = reject" requires - that input lines end in , requires the standard - End-of-DATA sequence ., and rejects a command or - message that contains a bare newline. To disconnect the client, - specify "smtpd_forbid_bare_newline_reject_code = 521". +- The Postfix SMTP server no longer strips extra as in + ., to silence false alarms from test tools + that send attack sequences that real mail servers cannot send. + Details at https://www.postfix.org/false-smuggling-claims.html - The old setting "yes" has become an alias for "normalize". - The old setting "no" has not changed, and allows SMTP smuggling. -The recommended Postfix 3.9 settings (i.e. the defaults) are now: +The recommended settings are now: # Require the standard End-of-DATA sequence .. # Otherwise, allow bare and process it as if the client sent @@ -99,10 +105,10 @@ Alternative settings: # line endings such as web applications, netcat, or load balancer # health checks. # - # This will also reject some email from Microsoft services whose - # BDAT implementations violate the canonical MIME format for text - # messages required in RFC 3030 Section 3, and defined in RFC 2045 - # Sections 2.7 and 2.8. + # This will also reject email from services that use BDAT to send + # MIME text containing a bare newline (RFC 3030 Section 3 requires + # canonical MIME format for text message types, defined in RFC 2045 + # Sections 2.7 and 2.8). # # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. # The example below allowlists SMTP clients in trusted networks. @@ -114,40 +120,11 @@ Alternative settings: # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally # disabled with smtpd_discard_ehlo_keywords. # - # smtpd_discard_ehlo_keyword_address_maps = - # cidr:{{10.0.0.1/24 chunking, silent-discard}} + # smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file + # /path/to/file: + # 10.0.0.0/24 chunking, silent-discard # smtpd_discard_ehlo_keywords = chunking, silent-discard -Major changes with snapshot 20240106 -==================================== - -Inbound SMTP smuggling: don't strip extra in ., -to silence test tools that send attack sequences that are not viable. -Details at https://www.postfix.org/false-smuggling-claims.html - -Incompatible changes with snapshot 20231221 -=========================================== - -Postfix 3.9 by default disconnects a client that sends a 'bare -newline' ending in SMTP. This prevents an SMTP smuggling attack -that targets recipients at a Postfix server. For background, -see https://www.postfix.org/smtp-smuggling.html - -For compatibility with non-standard clients, Postfix 3.9 by default -excludes clients in mynetworks from this countermeasure. - -The Postfix 3.9 default settings are: - - # Disconnect remote SMTP clients that send bare newlines, but - # allow local clients with non-standard SMTP implementations - # such as netcat, fax machines, or load balancer health checks. - # - smtpd_forbid_bare_newline = yes - smtpd_forbid_bare_newline_exclusions = $mynetworks - -This feature is back-ported to all supported stable releases, with -the difference that "smtpd_forbid_bare_newline = no" by default. - Incompatible changes with snapshot 20230903 =========================================== diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 2fe15dcc2..8252c6f2b 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -15969,7 +15969,8 @@ SMTP smuggling.

-
normalize (default)
Require the standard +
normalize (default for Postfix ≥ 3.9)
+
Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Otherwise, allow command or message content lines ending in the non-standard <LF>, and process them as if the client sent the @@ -15990,16 +15991,17 @@ or message content when a line contains bare <LF>, log a "bare $smtpd_forbid_bare_newline_reject_code.

This will reject email from SMTP clients that send any non-standard line endings such as web applications, netcat, or load balancer health checks. -

This will also reject some email from Microsoft services -whose BDAT implementations violate the canonical MIME format for -text messages required in RFC 3030 Section 3, and defined in RFC -2045 Sections 2.7 and 2.8.

Such clients can be excluded -with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT -violations, BDAT can be selectively disabled with +

This will also reject email from services that use BDAT +to send MIME text containing a bare newline (RFC 3030 Section 3 +requires canonical MIME format for text message types, defined in +RFC 2045 Sections 2.7 and 2.8).

Such clients can be +excluded with smtpd_forbid_bare_newline_exclusions (or, in the case +of BDAT violations, BDAT can be selectively disabled with smtpd_discard_ehlo_keyword_address_maps, or globally disabled with smtpd_discard_ehlo_keywords).
-
no
Do not require the standard End-of-DATA +
no (default for Postfix < 3.9)
+
Do not require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Always process a bare <LF> as if the client sent <CR><LF>. This option is fully backwards compatible, but is not recommended for @@ -16009,7 +16011,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
-

Example 1:

+

Recommended settings: 

@@ -16031,7 +16033,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
-

Example 2:

+

Alternative: 

@@ -16043,10 +16045,10 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
 # line endings such as web applications, netcat, or load balancer
 # health checks.
 #
-# This will also reject some email from Microsoft services whose
-# BDAT implementations violate the canonical MIME format for text
-# messages required in RFC 3030 Section 3, and defined in RFC 2045
-# Sections 2.7 and 2.8.
+# This will also reject email from services that use BDAT to send
+# MIME text containing a bare newline (RFC 3030 Section 3 requires
+# canonical MIME format for text message types, defined in RFC 2045
+# Sections 2.7 and 2.8).
 #
 # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
 # The example below allowlists SMTP clients in trusted networks.
@@ -16058,8 +16060,9 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
 # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
 # disabled with smtpd_discard_ehlo_keywords.
 #
-# smtpd_discard_ehlo_keyword_address_maps =
-#     cidr:{{10.0.0.1/24 chunking, silent-discard}}
+# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
+# /path/to/file:
+#     10.0.0.0/24 chunking, silent-discard
 # smtpd_discard_ehlo_keywords = chunking, silent-discard
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index fafa29b83..9c1582dbc 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -11038,7 +11038,7 @@ vulnerable to SMTP smuggling. .PP Specify one of the following values (case does not matter): -.IP "\fBnormalize\fR (default)" +.IP "\fBnormalize\fR (default for Postfix >= 3.9)" Require the standard End\-of\-DATA sequence .. Otherwise, allow command or message content lines ending in the @@ -11073,19 +11073,19 @@ email from SMTP clients that send any non\-standard line endings such as web applications, netcat, or load balancer health checks. .br .br -This will also reject some email from Microsoft services -whose BDAT implementations violate the canonical MIME format for -text messages required in RFC 3030 Section 3, and defined in RFC -2045 Sections 2.7 and 2.8. +This will also reject email from services that use BDAT +to send MIME text containing a bare newline (RFC 3030 Section 3 +requires canonical MIME format for text message types, defined in +RFC 2045 Sections 2.7 and 2.8). .br .br -Such clients can be excluded -with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT -violations, BDAT can be selectively disabled with +Such clients can be +excluded with smtpd_forbid_bare_newline_exclusions (or, in the case +of BDAT violations, BDAT can be selectively disabled with smtpd_discard_ehlo_keyword_address_maps, or globally disabled with smtpd_discard_ehlo_keywords). .br -.IP "\fBno\fR" +.IP "\fBno\fR (default for Postfix < 3.9)" Do not require the standard End\-of\-DATA sequence .. Always process a bare as if the client sent . This @@ -11094,7 +11094,7 @@ an Internet\-facing SMTP server, because it is vulnerable to SMTP smuggling. .br .br .PP -Example 1: +Recommended settings: .sp .in +4 .nf @@ -11120,7 +11120,7 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks .ft R .in -4 .PP -Example 2: +Alternative: .sp .in +4 .nf @@ -11134,10 +11134,10 @@ Example 2: # line endings such as web applications, netcat, or load balancer # health checks. # -# This will also reject some email from Microsoft services whose -# BDAT implementations violate the canonical MIME format for text -# messages required in RFC 3030 Section 3, and defined in RFC 2045 -# Sections 2.7 and 2.8. +# This will also reject email from services that use BDAT to send +# MIME text containing a bare newline (RFC 3030 Section 3 requires +# canonical MIME format for text message types, defined in RFC 2045 +# Sections 2.7 and 2.8). # # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. # The example below allowlists SMTP clients in trusted networks. @@ -11149,8 +11149,9 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally # disabled with smtpd_discard_ehlo_keywords. # -# smtpd_discard_ehlo_keyword_address_maps = -# cidr:{{10.0.0.1/24 chunking, silent\-discard}} +# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file +# /path/to/file: +# 10.0.0.0/24 chunking, silent\-discard # smtpd_discard_ehlo_keywords = chunking, silent\-discard .fi .ad diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 853c58478..bf2b185f5 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -19068,7 +19068,8 @@ SMTP smuggling.

-
normalize (default)
Require the standard +
normalize (default for Postfix ≥ 3.9)
+
Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Otherwise, allow command or message content lines ending in the non-standard <LF>, and process them as if the client sent the @@ -19089,16 +19090,17 @@ or message content when a line contains bare <LF>, log a "bare $smtpd_forbid_bare_newline_reject_code.

This will reject email from SMTP clients that send any non-standard line endings such as web applications, netcat, or load balancer health checks. -

This will also reject some email from Microsoft services -whose BDAT implementations violate the canonical MIME format for -text messages required in RFC 3030 Section 3, and defined in RFC -2045 Sections 2.7 and 2.8.

Such clients can be excluded -with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT -violations, BDAT can be selectively disabled with +

This will also reject email from services that use BDAT +to send MIME text containing a bare newline (RFC 3030 Section 3 +requires canonical MIME format for text message types, defined in +RFC 2045 Sections 2.7 and 2.8).

Such clients can be +excluded with smtpd_forbid_bare_newline_exclusions (or, in the case +of BDAT violations, BDAT can be selectively disabled with smtpd_discard_ehlo_keyword_address_maps, or globally disabled with smtpd_discard_ehlo_keywords).
-
no
Do not require the standard End-of-DATA +
no (default for Postfix < 3.9)
+
Do not require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Always process a bare <LF> as if the client sent <CR><LF>. This option is fully backwards compatible, but is not recommended for @@ -19108,7 +19110,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
-

Example 1:

+

Recommended settings: 

@@ -19130,7 +19132,7 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
-

Example 2:

+

Alternative: 

@@ -19142,10 +19144,10 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
 # line endings such as web applications, netcat, or load balancer
 # health checks.
 #
-# This will also reject some email from Microsoft services whose
-# BDAT implementations violate the canonical MIME format for text
-# messages required in RFC 3030 Section 3, and defined in RFC 2045
-# Sections 2.7 and 2.8.
+# This will also reject email from services that use BDAT to send
+# MIME text containing a bare newline (RFC 3030 Section 3 requires
+# canonical MIME format for text message types, defined in RFC 2045
+# Sections 2.7 and 2.8).
 #
 # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
 # The example below allowlists SMTP clients in trusted networks.
@@ -19157,8 +19159,9 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
 # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
 # disabled with smtpd_discard_ehlo_keywords.
 #
-# smtpd_discard_ehlo_keyword_address_maps =
-#     cidr:{{10.0.0.1/24 chunking, silent-discard}}
+# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
+# /path/to/file:
+#     10.0.0.0/24 chunking, silent-discard
 # smtpd_discard_ehlo_keywords = chunking, silent-discard
diff --git a/postfix/proto/stop.double-install-proto-text b/postfix/proto/stop.double-install-proto-text index 5791910d3..4e3f43dca 100644 --- a/postfix/proto/stop.double-install-proto-text +++ b/postfix/proto/stop.double-install-proto-text @@ -42,3 +42,4 @@ virtual virtual alias domain anything right hand content does not matter skipping unexpected LF LF in DATA from Inbound SMTP smuggling strip extra CR in CR LF CR CR LF Inbound SMTP smuggling don t strip extra CR in CR LF CR CR LF + CR LF CR CR LF to silence false alarms from test tools diff --git a/postfix/proto/stop.double-proto-html b/postfix/proto/stop.double-proto-html index 20be48655..2e1962e68 100644 --- a/postfix/proto/stop.double-proto-html +++ b/postfix/proto/stop.double-proto-html @@ -350,3 +350,5 @@ standard lt CR gt lt LF gt br br This maintains compatibility smtpd_forbid_bare_newline_reject_code br br This will reject br br This will also reject some email from Microsoft services 2045 Sections 2 7 and 2 8 br br Such clients can be excluded + br br This will also reject email from services that use BDAT +RFC 2045 Sections 2 7 and 2 8 br br Such clients can be diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 6a1035760..6a55838df 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20240118" +#define MAIL_RELEASE_DATE "20240121" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT