PMG security conern

[tomaszm]

Hi
There is any security concern about ?
https://www.cert.ssi.gouv.fr/avis/CERTFR-2023-AVI-0437/
I see postfix 3.5.18 on PMG 7.3.3

 

[Stoiko Ivanov]

Unless I'm misunderstanding the release announcement from postfix - it seems to not be too relevant for PMG:
* PMG uses postscreen on the public port, which already disconnects clients that misbehave regarding pipelining:
https://www.postfix.org/POSTSCREEN_README.html
* This only leaves the internal port where smtpd is listening, and might allow this - but the internal port should not be exposed publicly anyways

The other changes - are improvements - and will become available in a new version of PMG (which ships with a newer version of postfix)

Regarding the optional TLS-config-file - We haven't had a report about mails being sent plain-text instead of encrypted due to too restrictive TLS-settings in the default config - so I assume that the current defaults in Debian are loose enough to not cause this issue.

Should this change in a future version we would most likely use the feature to provide postfix with a less strict TLS config

I hope this explains it!