mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 05:07:58 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20231221

Browse Source
This commit is contained in:
Wietse Venema 2023-12-21 00:00:00 -05:00 committed by Viktor Dukhovni
parent a41effbfcb
commit dd0f14446a
11 changed files with 289 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
postfix/HISTORY
View File

@ -27631,12 +27631,15 @@ Apologies for any names omitted.
cleanup/test-queue-file18, cleanup/cleanup_milter.in18[a-d], cleanup/test-queue-file18, cleanup/cleanup_milter.in18[a-d],
cleanup/cleanup_milter.ref18[a-d][12]. cleanup/cleanup_milter.ref18[a-d][12].
20231219 20231221
Protocol enforcement: with "smtpd_forbid_bare_newline = Security: with "smtpd_forbid_bare_newline = yes" (the default
yes" (the default for Postfix 3.9), reply with "Error: bare for Postfix 3.9), reply with "Error: bare <LF> received"
<LF> received" and disconnect when an SMTP client sends a and disconnect when an SMTP client sends a line ending in
line ending in <LF>, violating the RFC 5321 requirement <LF>, violating the RFC 5321 requirement that lines must
that lines must end in <CR><LF>. Files: mantools/postlink, end in <CR><LF>. This prevents SMTP smuggling attacks that
proto/postconf.proto, global/mail_params.h, global/smtp_stream.c, target a recipient at a Postfix server. For backwards
global/smtp_stream.h, smtpd/smtpd.c. compatibility, local clients are excluded by default with
"smtpd_forbid_bare_newline_exclusions = $mynetworks". Files:
mantools/postlink, proto/postconf.proto, global/mail_params.h,
global/smtp_stream.c, global/smtp_stream.h, smtpd/smtpd.c.

23
postfix/RELEASE_NOTES
View File

@ -26,6 +26,29 @@ now also distributed with the more recent Eclipse Public License
license of their choice. Those who are more comfortable with the license of their choice. Those who are more comfortable with the
IPL can continue with that license. IPL can continue with that license.
Incompatible changes with snapshot 20231221
===========================================
Postfix 3.9 by default disconnects a client that sends a 'bare
newline' ending in SMTP. This prevents an SMTP smuggling attack
that targets recipients at a Postfix server. For background,
see https://www.postfix.org/smtp-smuggling.html
For compatibility with non-standard clients, Postfix 3.9 by default
excludes clients in mynetworks from this countermeasure.
The Postfix 3.9 default settings are:
# Disconnect remote SMTP clients that send bare newlines, but
# allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
This feature is back-ported to all supported stable releases, with
the difference that "smtpd_forbid_bare_newline = no" by default.
Incompatible changes with snapshot 20230903 Incompatible changes with snapshot 20230903
=========================================== ===========================================

47
postfix/html/postconf.5.html
View File

@ -15927,10 +15927,49 @@ This feature is available in Postfix 2.0 and later.
<p> Reply with "Error: bare &lt;LF&gt; received" and disconnect <p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
when a remote SMTP client sends a line ending in &lt;LF&gt;, violating when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
the <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;. the <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
This feature is enabled by default with Postfix &ge; 3.9 but may This feature is enabled by default with Postfix &ge; 3.9. Use
not work with non-standard clients such as netcat. Specify <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> to exclude non-standard clients
"<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable (not recommended for such as netcat. Specify "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable
an Internet-connected MTA). </p> (not recommended for an Internet-connected MTA). </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
</DD>
<DT><b><a name="smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>
(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
<p> Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
enforcement. It uses the same syntax and parent-domain matching
behavior as <a href="postconf.5.html#mynetworks">mynetworks</a>. </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9, <p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p> 3.6.13, and 3.5.23. </p>

4
postfix/html/smtpd.8.html
View File

@ -1002,6 +1002,10 @@ SMTPD(8) SMTPD(8)
remote SMTP client sends a line ending in &lt;LF&gt;, violating the remote SMTP client sends a line ending in &lt;LF&gt;, violating the
<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;. <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
<b><a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
enforcement.
<b>TARPIT CONTROLS</b> <b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away insert delays before responding. This can help to slow down run-away

49
postfix/man/man5/postconf.5
View File

@ -11007,10 +11007,51 @@ This feature is available in Postfix 2.0 and later.
Reply with "Error: bare <LF> received" and disconnect Reply with "Error: bare <LF> received" and disconnect
when a remote SMTP client sends a line ending in <LF>, violating when a remote SMTP client sends a line ending in <LF>, violating
the RFC 5321 requirement that lines must end in <CR><LF>. the RFC 5321 requirement that lines must end in <CR><LF>.
This feature is enabled by default with Postfix >= 3.9 but may This feature is enabled by default with Postfix >= 3.9. Use
not work with non\-standard clients such as netcat. Specify smtpd_forbid_bare_newline_exclusions to exclude non\-standard clients
"smtpd_forbid_bare_newline = no" to disable (not recommended for such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
an Internet\-connected MTA). (not recommended for an Internet\-connected MTA).
.PP
Example:
.sp
.in +4
.nf
.na
.ft C
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non\-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23.
.SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks)
Exclude the specified clients from smtpd_forbid_bare_newline
enforcement. It uses the same syntax and parent\-domain matching
behavior as mynetworks.
.PP
Example:
.sp
.in +4
.nf
.na
.ft C
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non\-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
.ft R
.in -4
.PP .PP
This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9, This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. 3.6.13, and 3.5.23.

3
postfix/man/man8/smtpd.8
View File

@ -874,6 +874,9 @@ Available in Postfix 3.9, 3.8.3, 3.7.9, 3.6.13, 3.5.23 and later:
Reply with "Error: bare <LF> received" and disconnect Reply with "Error: bare <LF> received" and disconnect
when a remote SMTP client sends a line ending in <LF>, violating when a remote SMTP client sends a line ending in <LF>, violating
the RFC 5321 requirement that lines must end in <CR><LF>. the RFC 5321 requirement that lines must end in <CR><LF>.
.IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
Exclude the specified clients from smtpd_forbid_bare_newline
enforcement.
.SH "TARPIT CONTROLS" .SH "TARPIT CONTROLS"
.na .na
.nf .nf

1
postfix/mantools/postlink
View File

@ -562,6 +562,7 @@ while (<>) {
s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g; s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g; s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g; s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline_exclusions\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g; s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g; s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g; s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;

43
postfix/proto/postconf.proto
View File

@ -19060,10 +19060,45 @@ MinProtocol = TLSv1
<p> Reply with "Error: bare &lt;LF&gt; received" and disconnect <p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
when a remote SMTP client sends a line ending in &lt;LF&gt;, violating when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
the RFC 5321 requirement that lines must end in &lt;CR&gt;&lt;LF&gt;. the RFC 5321 requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
This feature is enabled by default with Postfix &ge; 3.9 but may This feature is enabled by default with Postfix &ge; 3.9. Use
not work with non-standard clients such as netcat. Specify smtpd_forbid_bare_newline_exclusions to exclude non-standard clients
"smtpd_forbid_bare_newline = no" to disable (not recommended for such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
an Internet-connected MTA). </p> (not recommended for an Internet-connected MTA). </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks
<p> Exclude the specified clients from smtpd_forbid_bare_newline
enforcement. It uses the same syntax and parent-domain matching
behavior as mynetworks. </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9, <p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p> 3.6.13, and 3.5.23. </p>

3
postfix/src/global/mail_params.h
View File

@ -4308,6 +4308,9 @@ extern char *var_smtpd_dns_re_filter;
#define VAR_SMTPD_FORBID_BARE_LF "smtpd_forbid_bare_newline" #define VAR_SMTPD_FORBID_BARE_LF "smtpd_forbid_bare_newline"
#define DEF_SMTPD_FORBID_BARE_LF 1 #define DEF_SMTPD_FORBID_BARE_LF 1
#define VAR_SMTPD_FORBID_BARE_LF_EXCL "smtpd_forbid_bare_newline_exclusions"
#define DEF_SMTPD_FORBID_BARE_LF_EXCL "$" VAR_MYNETWORKS
/* /*
* Share TLS sessions through tlsproxy(8). * Share TLS sessions through tlsproxy(8).
*/ */

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20231219" #define MAIL_RELEASE_DATE "20231221"
#define MAIL_VERSION_NUMBER "3.9" #define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT #ifdef SNAPSHOT

20
postfix/src/smtpd/smtpd.c
View File

@ -828,6 +828,9 @@
/* Reply with "Error: bare <LF> received" and disconnect /* Reply with "Error: bare <LF> received" and disconnect
/* when a remote SMTP client sends a line ending in <LF>, violating /* when a remote SMTP client sends a line ending in <LF>, violating
/* the RFC 5321 requirement that lines must end in <CR><LF>. /* the RFC 5321 requirement that lines must end in <CR><LF>.
/* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
/* Exclude the specified clients from smtpd_forbid_bare_newline
/* enforcement.
/* TARPIT CONTROLS /* TARPIT CONTROLS
/* .ad /* .ad
/* .fi /* .fi
@ -1539,6 +1542,9 @@ bool var_relay_before_rcpt_checks;
bool var_smtpd_req_deadline; bool var_smtpd_req_deadline;
int var_smtpd_min_data_rate; int var_smtpd_min_data_rate;
char *var_hfrom_format; char *var_hfrom_format;
bool var_smtpd_forbid_bare_lf;
char *var_smtpd_forbid_bare_lf_excl;
static NAMADR_LIST *bare_lf_excl;
/* /*
* Silly little macros. * Silly little macros.
@ -6163,6 +6169,13 @@ static void smtpd_service(VSTREAM *stream, char *service, char **argv)
xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 && xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
namadr_list_match(xforward_hosts, state.name, state.addr); namadr_list_match(xforward_hosts, state.name, state.addr);
/*
* Enforce strict SMTP line endings, with compatibility exclusions.
*/
smtp_forbid_bare_lf = SMTPD_STAND_ALONE((&state)) == 0
&& var_smtpd_forbid_bare_lf
&& !namadr_list_match(bare_lf_excl, state.name, state.addr);
/* /*
* See if we need to turn on verbose logging for this client. * See if we need to turn on verbose logging for this client.
*/ */
@ -6224,6 +6237,10 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN
| match_parent_style(VAR_SMTPD_HOGGERS), | match_parent_style(VAR_SMTPD_HOGGERS),
var_smtpd_hoggers); var_smtpd_hoggers);
bare_lf_excl = namadr_list_init(VAR_SMTPD_FORBID_BARE_LF_EXCL,
MATCH_FLAG_RETURN
| match_parent_style(VAR_MYNETWORKS),
var_smtpd_forbid_bare_lf_excl);
/* /*
* Open maps before dropping privileges so we can read passwords etc. * Open maps before dropping privileges so we can read passwords etc.
@ -6590,7 +6607,7 @@ int main(int argc, char **argv)
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open, VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe, VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &smtp_forbid_bare_lf, VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf,
0, 0,
}; };
static const CONFIG_NBOOL_TABLE nbool_table[] = { static const CONFIG_NBOOL_TABLE nbool_table[] = {
@ -6707,6 +6724,7 @@ int main(int argc, char **argv)
VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0, VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0, VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0,
VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0, VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0,
VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0,
0, 0,
}; };
static const CONFIG_RAW_TABLE raw_table[] = { static const CONFIG_RAW_TABLE raw_table[] = {