From dd0f14446a4bbfec2f4fb48f11089a100e7ad414 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Thu, 21 Dec 2023 00:00:00 -0500 Subject: [PATCH] postfix-3.9-20231221 --- postfix/HISTORY | 19 +-- postfix/RELEASE_NOTES | 23 ++++ postfix/html/postconf.5.html | 47 ++++++- postfix/html/smtpd.8.html | 198 +++++++++++++++--------------- postfix/man/man5/postconf.5 | 49 +++++++- postfix/man/man8/smtpd.8 | 3 + postfix/mantools/postlink | 1 + postfix/proto/postconf.proto | 43 ++++++- postfix/src/global/mail_params.h | 3 + postfix/src/global/mail_version.h | 2 +- postfix/src/smtpd/smtpd.c | 20 ++- 11 files changed, 289 insertions(+), 119 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index f4d925512..1de5eaac2 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27631,12 +27631,15 @@ Apologies for any names omitted. cleanup/test-queue-file18, cleanup/cleanup_milter.in18[a-d], cleanup/cleanup_milter.ref18[a-d][12]. -20231219 +20231221 - Protocol enforcement: with "smtpd_forbid_bare_newline = - yes" (the default for Postfix 3.9), reply with "Error: bare - received" and disconnect when an SMTP client sends a - line ending in , violating the RFC 5321 requirement - that lines must end in . Files: mantools/postlink, - proto/postconf.proto, global/mail_params.h, global/smtp_stream.c, - global/smtp_stream.h, smtpd/smtpd.c. + Security: with "smtpd_forbid_bare_newline = yes" (the default + for Postfix 3.9), reply with "Error: bare received" + and disconnect when an SMTP client sends a line ending in + , violating the RFC 5321 requirement that lines must + end in . This prevents SMTP smuggling attacks that + target a recipient at a Postfix server. For backwards + compatibility, local clients are excluded by default with + "smtpd_forbid_bare_newline_exclusions = $mynetworks". Files: + mantools/postlink, proto/postconf.proto, global/mail_params.h, + global/smtp_stream.c, global/smtp_stream.h, smtpd/smtpd.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 7396b3ee0..70d611ee3 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -26,6 +26,29 @@ now also distributed with the more recent Eclipse Public License license of their choice. Those who are more comfortable with the IPL can continue with that license. +Incompatible changes with snapshot 20231221 +=========================================== + +Postfix 3.9 by default disconnects a client that sends a 'bare +newline' ending in SMTP. This prevents an SMTP smuggling attack +that targets recipients at a Postfix server. For background, +see https://www.postfix.org/smtp-smuggling.html + +For compatibility with non-standard clients, Postfix 3.9 by default +excludes clients in mynetworks from this countermeasure. + +The Postfix 3.9 default settings are: + + # Disconnect remote SMTP clients that send bare newlines, but + # allow local clients with non-standard SMTP implementations + # such as netcat, fax machines, or load balancer health checks. + # + smtpd_forbid_bare_newline = yes + smtpd_forbid_bare_newline_exclusions = $mynetworks + +This feature is back-ported to all supported stable releases, with +the difference that "smtpd_forbid_bare_newline = no" by default. + Incompatible changes with snapshot 20230903 =========================================== diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index ee933d66b..c6b76a48c 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -15927,10 +15927,49 @@ This feature is available in Postfix 2.0 and later.

Reply with "Error: bare <LF> received" and disconnect when a remote SMTP client sends a line ending in <LF>, violating the RFC 5321 requirement that lines must end in <CR><LF>. -This feature is enabled by default with Postfix ≥ 3.9 but may -not work with non-standard clients such as netcat. Specify -"smtpd_forbid_bare_newline = no" to disable (not recommended for -an Internet-connected MTA).

+This feature is enabled by default with Postfix ≥ 3.9. Use +smtpd_forbid_bare_newline_exclusions to exclude non-standard clients +such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable +(not recommended for an Internet-connected MTA).

+ +

Example:

+ +
+
+# Disconnect remote SMTP clients that send bare newlines, but allow
+# local clients with non-standard SMTP implementations such as netcat,
+# fax machines, or load balancer health checks.
+#
+smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline_exclusions = $mynetworks
+
+
+ +

This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, +3.6.13, and 3.5.23.

+ + + + +
smtpd_forbid_bare_newline_exclusions +(default: $mynetworks)
+ +

Exclude the specified clients from smtpd_forbid_bare_newline +enforcement. It uses the same syntax and parent-domain matching +behavior as mynetworks.

+ +

Example:

+ +
+
+# Disconnect remote SMTP clients that send bare newlines, but allow
+# local clients with non-standard SMTP implementations such as netcat,
+# fax machines, or load balancer health checks.
+#
+smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline_exclusions = $mynetworks
+
+

This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, 3.6.13, and 3.5.23.

diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 084d34bc3..187af67f4 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -1002,56 +1002,60 @@ SMTPD(8) SMTPD(8) remote SMTP client sends a line ending in <LF>, violating the RFC 5321 requirement that lines must end in <CR><LF>. + smtpd_forbid_bare_newline_exclusions ($mynetworks) + Exclude the specified clients from smtpd_forbid_bare_newline + enforcement. + TARPIT CONTROLS - When a remote SMTP client makes errors, the Postfix SMTP server can - insert delays before responding. This can help to slow down run-away - software. The behavior is controlled by an error counter that counts + When a remote SMTP client makes errors, the Postfix SMTP server can + insert delays before responding. This can help to slow down run-away + software. The behavior is controlled by an error counter that counts the number of errors within an SMTP session that a client makes without delivering mail. smtpd_error_sleep_time (1s) - With Postfix version 2.1 and later: the SMTP server response - delay after a client has made more than $smtpd_soft_error_limit - errors, and fewer than $smtpd_hard_error_limit errors, without + With Postfix version 2.1 and later: the SMTP server response + delay after a client has made more than $smtpd_soft_error_limit + errors, and fewer than $smtpd_hard_error_limit errors, without delivering mail. smtpd_soft_error_limit (10) - The number of errors a remote SMTP client is allowed to make - without delivering mail before the Postfix SMTP server slows + The number of errors a remote SMTP client is allowed to make + without delivering mail before the Postfix SMTP server slows down all its responses. smtpd_hard_error_limit (normal: 20, overload: 1) - The maximal number of errors a remote SMTP client is allowed to + The maximal number of errors a remote SMTP client is allowed to make without delivering mail. smtpd_junk_command_limit (normal: 100, overload: 1) - The number of junk commands (NOOP, VRFY, ETRN or RSET) that a - remote SMTP client can send before the Postfix SMTP server + The number of junk commands (NOOP, VRFY, ETRN or RSET) that a + remote SMTP client can send before the Postfix SMTP server starts to increment the error counter with each junk command. Available in Postfix version 2.1 and later: smtpd_recipient_overshoot_limit (1000) - The number of recipients that a remote SMTP client can send in + The number of recipients that a remote SMTP client can send in excess of the limit specified with $smtpd_recipient_limit, - before the Postfix SMTP server increments the per-session error + before the Postfix SMTP server increments the per-session error count for each excess recipient. ACCESS POLICY DELEGATION CONTROLS - As of version 2.1, Postfix can be configured to delegate access policy - decisions to an external server that runs outside Postfix. See the + As of version 2.1, Postfix can be configured to delegate access policy + decisions to an external server that runs outside Postfix. See the file SMTPD_POLICY_README for more information. smtpd_policy_service_max_idle (300s) - The time after which an idle SMTPD policy service connection is + The time after which an idle SMTPD policy service connection is closed. smtpd_policy_service_max_ttl (1000s) - The time after which an active SMTPD policy service connection + The time after which an active SMTPD policy service connection is closed. smtpd_policy_service_timeout (100s) - The time limit for connecting to, writing to, or receiving from + The time limit for connecting to, writing to, or receiving from a delegated SMTPD policy server. Available in Postfix version 3.0 and later: @@ -1061,81 +1065,81 @@ SMTPD(8) SMTPD(8) The default action when an SMTPD policy service request fails. smtpd_policy_service_request_limit (0) - The maximal number of requests per SMTPD policy service connec- + The maximal number of requests per SMTPD policy service connec- tion, or zero (no limit). smtpd_policy_service_try_limit (2) - The maximal number of attempts to send an SMTPD policy service + The maximal number of attempts to send an SMTPD policy service request before giving up. smtpd_policy_service_retry_delay (1s) - The delay between attempts to resend a failed SMTPD policy ser- + The delay between attempts to resend a failed SMTPD policy ser- vice request. Available in Postfix version 3.1 and later: smtpd_policy_service_policy_context (empty) - Optional information that the Postfix SMTP server specifies in - the "policy_context" attribute of a policy service request - (originally, to share the same service endpoint among multiple + Optional information that the Postfix SMTP server specifies in + the "policy_context" attribute of a policy service request + (originally, to share the same service endpoint among multiple check_policy_service clients). ACCESS CONTROLS - The SMTPD_ACCESS_README document gives an introduction to all the SMTP + The SMTPD_ACCESS_README document gives an introduction to all the SMTP server access control features. smtpd_delay_reject (yes) - Wait until the RCPT TO command before evaluating + Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait until the ETRN command - before evaluating $smtpd_client_restrictions and + before evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. parent_domain_matches_subdomains (see 'postconf -d' output) - A list of Postfix features where the pattern "example.com" also - matches subdomains of example.com, instead of requiring an + A list of Postfix features where the pattern "example.com" also + matches subdomains of example.com, instead of requiring an explicit ".example.com" pattern. smtpd_client_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client connection request. smtpd_helo_required (no) - Require that a remote SMTP client introduces itself with the - HELO or EHLO command before sending the MAIL command or other + Require that a remote SMTP client introduces itself with the + HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. smtpd_helo_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client HELO command. smtpd_sender_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command. smtpd_recipient_restrictions (see 'postconf -d' output) - Optional restrictions that the Postfix SMTP server applies in - the context of a client RCPT TO command, after + Optional restrictions that the Postfix SMTP server applies in + the context of a client RCPT TO command, after smtpd_relay_restrictions. smtpd_etrn_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client ETRN command. allow_untrusted_routing (no) - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients to destina- + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destina- tions matching $relay_domains. smtpd_restriction_classes (empty) User-defined aliases for groups of access restrictions. smtpd_null_access_lookup_key (<>) - The lookup key to be used in SMTP access(5) tables instead of + The lookup key to be used in SMTP access(5) tables instead of the null sender address. permit_mx_backup_networks (empty) - Restrict the use of the permit_mx_backup SMTP access feature to + Restrict the use of the permit_mx_backup SMTP access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: @@ -1145,19 +1149,19 @@ SMTPD(8) SMTPD(8) applies in the context of the SMTP DATA command. smtpd_expansion_filter (see 'postconf -d' output) - What characters are allowed in $name expansions of RBL reply + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail from unknown - sender addresses, even when no explicit reject_unlisted_sender + Request that the Postfix SMTP server rejects mail from unknown + sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. smtpd_reject_unlisted_recipient (yes) - Request that the Postfix SMTP server rejects mail for unknown - recipient addresses, even when no explicit + Request that the Postfix SMTP server rejects mail for unknown + recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. Available in Postfix version 2.2 and later: @@ -1171,17 +1175,17 @@ SMTPD(8) SMTPD(8) smtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination) Access restrictions for mail relay control that the Postfix SMTP - server applies in the context of the RCPT TO command, before + server applies in the context of the RCPT TO command, before smtpd_recipient_restrictions. SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS - Postfix version 2.1 introduces sender and recipient address verifica- + Postfix version 2.1 introduces sender and recipient address verifica- tion. This feature is implemented by sending probe email messages that are not actually delivered. This feature is requested via the - reject_unverified_sender and reject_unverified_recipient access - restrictions. The status of verification probes is maintained by the - verify(8) server. See the file ADDRESS_VERIFICATION_README for infor- - mation about how to configure and operate the Postfix sender/recipient + reject_unverified_sender and reject_unverified_recipient access + restrictions. The status of verification probes is maintained by the + verify(8) server. See the file ADDRESS_VERIFICATION_README for infor- + mation about how to configure and operate the Postfix sender/recipient address verification service. address_verify_poll_count (normal: 3, overload: 1) @@ -1193,7 +1197,7 @@ SMTPD(8) SMTPD(8) fication request in progress. address_verify_sender ($double_bounce_sender) - The sender address to use in address verification probes; prior + The sender address to use in address verification probes; prior to Postfix 2.5 the default was "postmaster". unverified_sender_reject_code (450) @@ -1201,18 +1205,18 @@ SMTPD(8) SMTPD(8) address is rejected by the reject_unverified_sender restriction. unverified_recipient_reject_code (450) - The numerical Postfix SMTP server response when a recipient - address is rejected by the reject_unverified_recipient restric- + The numerical Postfix SMTP server response when a recipient + address is rejected by the reject_unverified_recipient restric- tion. Available in Postfix version 2.6 and later: unverified_sender_defer_code (450) - The numerical Postfix SMTP server response code when a sender + The numerical Postfix SMTP server response code when a sender address probe fails due to a temporary error condition. unverified_recipient_defer_code (450) - The numerical Postfix SMTP server response when a recipient + The numerical Postfix SMTP server response when a recipient address probe fails due to a temporary error condition. unverified_sender_reject_reason (empty) @@ -1224,17 +1228,17 @@ SMTPD(8) SMTPD(8) reject_unverified_recipient. unverified_sender_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when reject_unverified_sender + The Postfix SMTP server's action when reject_unverified_sender fails due to a temporary error condition. unverified_recipient_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when reject_unverified_recipi- + The Postfix SMTP server's action when reject_unverified_recipi- ent fails due to a temporary error condition. Available with Postfix 2.9 and later: address_verify_sender_ttl (0s) - The time between changes in the time-dependent portion of + The time between changes in the time-dependent portion of address verification probe sender addresses. ACCESS CONTROL RESPONSES @@ -1246,36 +1250,36 @@ SMTPD(8) SMTPD(8) map "reject" action. defer_code (450) - The numerical Postfix SMTP server response code when a remote + The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "defer" restriction. invalid_hostname_reject_code (501) - The numerical Postfix SMTP server response code when the client - HELO or EHLO command parameter is rejected by the + The numerical Postfix SMTP server response code when the client + HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname restriction. maps_rbl_reject_code (554) - The numerical Postfix SMTP server response code when a remote - SMTP client request is blocked by the reject_rbl_client, + The numerical Postfix SMTP server response code when a remote + SMTP client request is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender or reject_rhsbl_recipient restriction. non_fqdn_reject_code (504) - The numerical Postfix SMTP server reply code when a client - request is rejected by the reject_non_fqdn_helo_hostname, + The numerical Postfix SMTP server reply code when a client + request is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. plaintext_reject_code (450) - The numerical Postfix SMTP server response code when a request + The numerical Postfix SMTP server response code when a request is rejected by the reject_plaintext_session restriction. reject_code (554) - The numerical Postfix SMTP server response code when a remote + The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "reject" restriction. relay_domains_reject_code (554) - The numerical Postfix SMTP server response code when a client - request is rejected by the reject_unauth_destination recipient + The numerical Postfix SMTP server response code when a client + request is rejected by the reject_unauth_destination recipient restriction. unknown_address_reject_code (450) @@ -1283,24 +1287,24 @@ SMTPD(8) SMTPD(8) a sender or recipient address because its domain is unknown. unknown_client_reject_code (450) - The numerical Postfix SMTP server response code when a client - without valid address <=> name mapping is rejected by the + The numerical Postfix SMTP server response code when a client + without valid address <=> name mapping is rejected by the reject_unknown_client_hostname restriction. unknown_hostname_reject_code (450) - The numerical Postfix SMTP server response code when the host- - name specified with the HELO or EHLO command is rejected by the + The numerical Postfix SMTP server response code when the host- + name specified with the HELO or EHLO command is rejected by the reject_unknown_helo_hostname restriction. Available in Postfix version 2.0 and later: default_rbl_reply (see 'postconf -d' output) - The default Postfix SMTP server response template for a request + The default Postfix SMTP server response template for a request that is rejected by an RBL-based restriction. multi_recipient_bounce_reject_code (550) - The numerical Postfix SMTP server response code when a remote - SMTP client request is blocked by the reject_multi_recipi- + The numerical Postfix SMTP server response code when a remote + SMTP client request is blocked by the reject_multi_recipi- ent_bounce restriction. rbl_reply_maps (empty) @@ -1310,52 +1314,52 @@ SMTPD(8) SMTPD(8) access_map_defer_code (450) The numerical Postfix SMTP server response code for an access(5) - map "defer" action, including "defer_if_permit" or + map "defer" action, including "defer_if_permit" or "defer_if_reject". reject_tempfail_action (defer_if_permit) - The Postfix SMTP server's action when a reject-type restriction + The Postfix SMTP server's action when a reject-type restriction fails due to a temporary error condition. unknown_helo_hostname_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when reject_unknown_helo_host- + The Postfix SMTP server's action when reject_unknown_helo_host- name fails due to a temporary error condition. unknown_address_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when - reject_unknown_sender_domain or reject_unknown_recipient_domain + The Postfix SMTP server's action when + reject_unknown_sender_domain or reject_unknown_recipient_domain fail due to a temporary error condition. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. command_directory (see 'postconf -d' output) The location of all postfix administrative commands. double_bounce_sender (double-bounce) - The sender address of postmaster notifications that are gener- + The sender address of postmaster notifications that are gener- ated by the mail system. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. mail_name (Postfix) - The mail system name that is displayed in Received: headers, in + The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail. mail_owner (postfix) - The UNIX system account that owns the Postfix queue and most + The UNIX system account that owns the Postfix queue and most Postfix daemon processes. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -1366,11 +1370,11 @@ SMTPD(8) SMTPD(8) The internet hostname of this mail system. mynetworks (see 'postconf -d' output) - The list of "trusted" remote SMTP clients that have more privi- + The list of "trusted" remote SMTP clients that have more privi- leges than "strangers". myorigin ($myhostname) - The domain name that locally-posted mail appears to come from, + The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. process_id (read-only) @@ -1383,24 +1387,24 @@ SMTPD(8) SMTPD(8) The location of the Postfix top-level queue directory. recipient_delimiter (empty) - The set of characters that can separate an email address local- + The set of characters that can separate an email address local- part, user name, or a .forward file name from its extension. smtpd_banner ($myhostname ESMTP $mail_name) - The text that follows the 220 status code in the SMTP greeting + The text that follows the 220 status code in the SMTP greeting banner. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 2.2 and later: smtpd_forbidden_commands (CONNECT GET POST regexp:{{/^[^A-Z]/ Bogus}}) - List of commands that cause the Postfix SMTP server to immedi- + List of commands that cause the Postfix SMTP server to immedi- ately terminate the session with a 221 code. Available in Postfix version 2.5 and later: @@ -1417,7 +1421,7 @@ SMTPD(8) SMTPD(8) Available in Postfix 3.4 and later: smtpd_reject_footer_maps (empty) - Lookup tables, indexed by the complete Postfix SMTP server 4xx + Lookup tables, indexed by the complete Postfix SMTP server 4xx or 5xx response, with reject footer templates. SEE ALSO diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 623ea49fd..e1280475f 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -11007,10 +11007,51 @@ This feature is available in Postfix 2.0 and later. Reply with "Error: bare received" and disconnect when a remote SMTP client sends a line ending in , violating the RFC 5321 requirement that lines must end in . -This feature is enabled by default with Postfix >= 3.9 but may -not work with non\-standard clients such as netcat. Specify -"smtpd_forbid_bare_newline = no" to disable (not recommended for -an Internet\-connected MTA). +This feature is enabled by default with Postfix >= 3.9. Use +smtpd_forbid_bare_newline_exclusions to exclude non\-standard clients +such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable +(not recommended for an Internet\-connected MTA). +.PP +Example: +.sp +.in +4 +.nf +.na +.ft C +# Disconnect remote SMTP clients that send bare newlines, but allow +# local clients with non\-standard SMTP implementations such as netcat, +# fax machines, or load balancer health checks. +# +smtpd_forbid_bare_newline = yes +smtpd_forbid_bare_newline_exclusions = $mynetworks +.fi +.ad +.ft R +.in -4 +.PP +This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9, +3.6.13, and 3.5.23. +.SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks) +Exclude the specified clients from smtpd_forbid_bare_newline +enforcement. It uses the same syntax and parent\-domain matching +behavior as mynetworks. +.PP +Example: +.sp +.in +4 +.nf +.na +.ft C +# Disconnect remote SMTP clients that send bare newlines, but allow +# local clients with non\-standard SMTP implementations such as netcat, +# fax machines, or load balancer health checks. +# +smtpd_forbid_bare_newline = yes +smtpd_forbid_bare_newline_exclusions = $mynetworks +.fi +.ad +.ft R +.in -4 .PP This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9, 3.6.13, and 3.5.23. diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 56e22621c..1b6da42ad 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -874,6 +874,9 @@ Available in Postfix 3.9, 3.8.3, 3.7.9, 3.6.13, 3.5.23 and later: Reply with "Error: bare received" and disconnect when a remote SMTP client sends a line ending in , violating the RFC 5321 requirement that lines must end in . +.IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR" +Exclude the specified clients from smtpd_forbid_bare_newline +enforcement. .SH "TARPIT CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 31f00be25..d49217e86 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -562,6 +562,7 @@ while (<>) { s;\bsmtpd_expansion_filter\b;$&;g; s;\bsmtpd_for[-]*\n*[ ]*bidden_commands\b;$&;g; s;\bsmtpd_for[-]*\n*[ ]*bid_bare_newline\b;$&;g; + s;\bsmtpd_for[-]*\n*[ ]*bid_bare_newline_exclusions\b;$&;g; s;\bsmtpd_for[-]*\n*[ ]*bid_unauth_pipelining\b;$&;g; s;\bsmtpd_hard_error_limit\b;$&;g; s;\bsmtpd_helo_required\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 1023c776e..537e02af4 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -19060,10 +19060,45 @@ MinProtocol = TLSv1

Reply with "Error: bare <LF> received" and disconnect when a remote SMTP client sends a line ending in <LF>, violating the RFC 5321 requirement that lines must end in <CR><LF>. -This feature is enabled by default with Postfix ≥ 3.9 but may -not work with non-standard clients such as netcat. Specify -"smtpd_forbid_bare_newline = no" to disable (not recommended for -an Internet-connected MTA).

+This feature is enabled by default with Postfix ≥ 3.9. Use +smtpd_forbid_bare_newline_exclusions to exclude non-standard clients +such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable +(not recommended for an Internet-connected MTA).

+ +

Example:

+ +
+
+# Disconnect remote SMTP clients that send bare newlines, but allow
+# local clients with non-standard SMTP implementations such as netcat,
+# fax machines, or load balancer health checks.
+#
+smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline_exclusions = $mynetworks
+
+
+ +

This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, +3.6.13, and 3.5.23.

+ +%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks + +

Exclude the specified clients from smtpd_forbid_bare_newline +enforcement. It uses the same syntax and parent-domain matching +behavior as mynetworks.

+ +

Example:

+ +
+
+# Disconnect remote SMTP clients that send bare newlines, but allow
+# local clients with non-standard SMTP implementations such as netcat,
+# fax machines, or load balancer health checks.
+#
+smtpd_forbid_bare_newline = yes
+smtpd_forbid_bare_newline_exclusions = $mynetworks
+
+

This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, 3.6.13, and 3.5.23.

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 244f05f51..338dc667d 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4308,6 +4308,9 @@ extern char *var_smtpd_dns_re_filter; #define VAR_SMTPD_FORBID_BARE_LF "smtpd_forbid_bare_newline" #define DEF_SMTPD_FORBID_BARE_LF 1 +#define VAR_SMTPD_FORBID_BARE_LF_EXCL "smtpd_forbid_bare_newline_exclusions" +#define DEF_SMTPD_FORBID_BARE_LF_EXCL "$" VAR_MYNETWORKS + /* * Share TLS sessions through tlsproxy(8). */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 2bfce0ea5..a05e41ba7 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20231219" +#define MAIL_RELEASE_DATE "20231221" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 8e91fc2f0..342f5dfc7 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -828,6 +828,9 @@ /* Reply with "Error: bare received" and disconnect /* when a remote SMTP client sends a line ending in , violating /* the RFC 5321 requirement that lines must end in . +/* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR" +/* Exclude the specified clients from smtpd_forbid_bare_newline +/* enforcement. /* TARPIT CONTROLS /* .ad /* .fi @@ -1539,6 +1542,9 @@ bool var_relay_before_rcpt_checks; bool var_smtpd_req_deadline; int var_smtpd_min_data_rate; char *var_hfrom_format; +bool var_smtpd_forbid_bare_lf; +char *var_smtpd_forbid_bare_lf_excl; +static NAMADR_LIST *bare_lf_excl; /* * Silly little macros. @@ -6163,6 +6169,13 @@ static void smtpd_service(VSTREAM *stream, char *service, char **argv) xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 && namadr_list_match(xforward_hosts, state.name, state.addr); + /* + * Enforce strict SMTP line endings, with compatibility exclusions. + */ + smtp_forbid_bare_lf = SMTPD_STAND_ALONE((&state)) == 0 + && var_smtpd_forbid_bare_lf + && !namadr_list_match(bare_lf_excl, state.name, state.addr); + /* * See if we need to turn on verbose logging for this client. */ @@ -6224,6 +6237,10 @@ static void pre_jail_init(char *unused_name, char **unused_argv) hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN | match_parent_style(VAR_SMTPD_HOGGERS), var_smtpd_hoggers); + bare_lf_excl = namadr_list_init(VAR_SMTPD_FORBID_BARE_LF_EXCL, + MATCH_FLAG_RETURN + | match_parent_style(VAR_MYNETWORKS), + var_smtpd_forbid_bare_lf_excl); /* * Open maps before dropping privileges so we can read passwords etc. @@ -6590,7 +6607,7 @@ int main(int argc, char **argv) VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open, VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe, - VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &smtp_forbid_bare_lf, + VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf, 0, }; static const CONFIG_NBOOL_TABLE nbool_table[] = { @@ -6707,6 +6724,7 @@ int main(int argc, char **argv) VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0, VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0, VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0, + VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0, 0, }; static const CONFIG_RAW_TABLE raw_table[] = {