mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-28 20:57:56 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20231221

Browse Source
This commit is contained in:
Wietse Venema 2023-12-21 00:00:00 -05:00 committed by Viktor Dukhovni
parent a41effbfcb
commit dd0f14446a
11 changed files with 289 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
postfix/HISTORY
View File

@ -27631,12 +27631,15 @@ Apologies for any names omitted.
cleanup/test-queue-file18, cleanup/cleanup_milter.in18[a-d],
cleanup/cleanup_milter.ref18[a-d][12].
20231219
20231221
Protocol enforcement: with "smtpd_forbid_bare_newline =
yes" (the default for Postfix 3.9), reply with "Error: bare
<LF> received" and disconnect when an SMTP client sends a
line ending in <LF>, violating the RFC 5321 requirement
that lines must end in <CR><LF>. Files: mantools/postlink,
proto/postconf.proto, global/mail_params.h, global/smtp_stream.c,
global/smtp_stream.h, smtpd/smtpd.c.
Security: with "smtpd_forbid_bare_newline = yes" (the default
for Postfix 3.9), reply with "Error: bare <LF> received"
and disconnect when an SMTP client sends a line ending in
<LF>, violating the RFC 5321 requirement that lines must
end in <CR><LF>. This prevents SMTP smuggling attacks that
target a recipient at a Postfix server. For backwards
compatibility, local clients are excluded by default with
"smtpd_forbid_bare_newline_exclusions = $mynetworks". Files:
mantools/postlink, proto/postconf.proto, global/mail_params.h,
global/smtp_stream.c, global/smtp_stream.h, smtpd/smtpd.c.

23
postfix/RELEASE_NOTES
View File

@ -26,6 +26,29 @@ now also distributed with the more recent Eclipse Public License
license of their choice. Those who are more comfortable with the
IPL can continue with that license.
Incompatible changes with snapshot 20231221
===========================================
Postfix 3.9 by default disconnects a client that sends a 'bare
newline' ending in SMTP. This prevents an SMTP smuggling attack
that targets recipients at a Postfix server. For background,
see https://www.postfix.org/smtp-smuggling.html
For compatibility with non-standard clients, Postfix 3.9 by default
excludes clients in mynetworks from this countermeasure.
The Postfix 3.9 default settings are:
# Disconnect remote SMTP clients that send bare newlines, but
# allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
This feature is back-ported to all supported stable releases, with
the difference that "smtpd_forbid_bare_newline = no" by default.
Incompatible changes with snapshot 20230903
===========================================

47
postfix/html/postconf.5.html
View File

@ -15927,10 +15927,49 @@ This feature is available in Postfix 2.0 and later.
<p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
the <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
This feature is enabled by default with Postfix &ge; 3.9 but may
not work with non-standard clients such as netcat. Specify
"<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable (not recommended for
an Internet-connected MTA). </p>
This feature is enabled by default with Postfix &ge; 3.9. Use
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> to exclude non-standard clients
such as netcat. Specify "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable
(not recommended for an Internet-connected MTA). </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
</DD>
<DT><b><a name="smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>
(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
<p> Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
enforcement. It uses the same syntax and parent-domain matching
behavior as <a href="postconf.5.html#mynetworks">mynetworks</a>. </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>

4
postfix/html/smtpd.8.html
View File

@ -1002,6 +1002,10 @@ SMTPD(8) SMTPD(8)
remote SMTP client sends a line ending in &lt;LF&gt;, violating the
<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
<b><a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
enforcement.
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away

49
postfix/man/man5/postconf.5
View File

@ -11007,10 +11007,51 @@ This feature is available in Postfix 2.0 and later.
Reply with "Error: bare <LF> received" and disconnect
when a remote SMTP client sends a line ending in <LF>, violating
the RFC 5321 requirement that lines must end in <CR><LF>.
This feature is enabled by default with Postfix >= 3.9 but may
not work with non\-standard clients such as netcat. Specify
"smtpd_forbid_bare_newline = no" to disable (not recommended for
an Internet\-connected MTA).
This feature is enabled by default with Postfix >= 3.9. Use
smtpd_forbid_bare_newline_exclusions to exclude non\-standard clients
such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
(not recommended for an Internet\-connected MTA).
.PP
Example:
.sp
.in +4
.nf
.na
.ft C
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non\-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23.
.SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks)
Exclude the specified clients from smtpd_forbid_bare_newline
enforcement. It uses the same syntax and parent\-domain matching
behavior as mynetworks.
.PP
Example:
.sp
.in +4
.nf
.na
.ft C
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non\-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23.

3
postfix/man/man8/smtpd.8
View File

@ -874,6 +874,9 @@ Available in Postfix 3.9, 3.8.3, 3.7.9, 3.6.13, 3.5.23 and later:
Reply with "Error: bare <LF> received" and disconnect
when a remote SMTP client sends a line ending in <LF>, violating
the RFC 5321 requirement that lines must end in <CR><LF>.
.IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
Exclude the specified clients from smtpd_forbid_bare_newline
enforcement.
.SH "TARPIT CONTROLS"
.na
.nf

1
postfix/mantools/postlink
View File

@ -562,6 +562,7 @@ while (<>) {
s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline_exclusions\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;

43
postfix/proto/postconf.proto
View File

@ -19060,10 +19060,45 @@ MinProtocol = TLSv1
<p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
the RFC 5321 requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
This feature is enabled by default with Postfix &ge; 3.9 but may
not work with non-standard clients such as netcat. Specify
"smtpd_forbid_bare_newline = no" to disable (not recommended for
an Internet-connected MTA). </p>
This feature is enabled by default with Postfix &ge; 3.9. Use
smtpd_forbid_bare_newline_exclusions to exclude non-standard clients
such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
(not recommended for an Internet-connected MTA). </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks
<p> Exclude the specified clients from smtpd_forbid_bare_newline
enforcement. It uses the same syntax and parent-domain matching
behavior as mynetworks. </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>

3
postfix/src/global/mail_params.h
View File

@ -4308,6 +4308,9 @@ extern char *var_smtpd_dns_re_filter;
#define VAR_SMTPD_FORBID_BARE_LF "smtpd_forbid_bare_newline"
#define DEF_SMTPD_FORBID_BARE_LF 1
#define VAR_SMTPD_FORBID_BARE_LF_EXCL "smtpd_forbid_bare_newline_exclusions"
#define DEF_SMTPD_FORBID_BARE_LF_EXCL "$" VAR_MYNETWORKS
/*
* Share TLS sessions through tlsproxy(8).
*/

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20231219"
#define MAIL_RELEASE_DATE "20231221"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT

20
postfix/src/smtpd/smtpd.c
View File

@ -828,6 +828,9 @@
/* Reply with "Error: bare <LF> received" and disconnect
/* when a remote SMTP client sends a line ending in <LF>, violating
/* the RFC 5321 requirement that lines must end in <CR><LF>.
/* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
/* Exclude the specified clients from smtpd_forbid_bare_newline
/* enforcement.
/* TARPIT CONTROLS
/* .ad
/* .fi
@ -1539,6 +1542,9 @@ bool var_relay_before_rcpt_checks;
bool var_smtpd_req_deadline;
int var_smtpd_min_data_rate;
char *var_hfrom_format;
bool var_smtpd_forbid_bare_lf;
char *var_smtpd_forbid_bare_lf_excl;
static NAMADR_LIST *bare_lf_excl;
/*
* Silly little macros.
@ -6163,6 +6169,13 @@ static void smtpd_service(VSTREAM *stream, char *service, char **argv)
xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
namadr_list_match(xforward_hosts, state.name, state.addr);
/*
* Enforce strict SMTP line endings, with compatibility exclusions.
*/
smtp_forbid_bare_lf = SMTPD_STAND_ALONE((&state)) == 0
&& var_smtpd_forbid_bare_lf
&& !namadr_list_match(bare_lf_excl, state.name, state.addr);
/*
* See if we need to turn on verbose logging for this client.
*/
@ -6224,6 +6237,10 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN
| match_parent_style(VAR_SMTPD_HOGGERS),
var_smtpd_hoggers);
bare_lf_excl = namadr_list_init(VAR_SMTPD_FORBID_BARE_LF_EXCL,
MATCH_FLAG_RETURN
| match_parent_style(VAR_MYNETWORKS),
var_smtpd_forbid_bare_lf_excl);
/*
* Open maps before dropping privileges so we can read passwords etc.
@ -6590,7 +6607,7 @@ int main(int argc, char **argv)
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &smtp_forbid_bare_lf,
VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
@ -6707,6 +6724,7 @@ int main(int argc, char **argv)
VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0,
VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0,
VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0,
0,
};
static const CONFIG_RAW_TABLE raw_table[] = {