SMTP Smuggling mitigation

  • Like
Reactions: Bob.Dig
Stoiko Ivanov said:
We'll test this internally and will update the templates to use this on the external port if the tests are successful.
Click to expand...
Our preliminary tests were successful:
* the new postfix versions are available in the bookworm-updates (and bullseye-updates) repositories: https://wiki.debian.org/StableUpdates
* these repositories are enabled by default in all installations from the ISO (at least since PMG 6.0) and the appliance template
* an updated version of pmg-api for PMG 8 (8.0.11) is available in the pmgtest repository
* we'll provide the updated template for PMG 7 soon
* the initial post of this thread has been updated to reflect the current situation
 
  • Like
Reactions: Bob.Dig
A version with the long-term fix is now also available for PMG 7.
Packages for both PMG 7 and PMG 8 are on the pmg-no-subscription repositories and will be pushed to pmg-enterprise soon.
 
Stoiko Ivanov said:
A version with the long-term fix is now also available for PMG 7.
Packages for both PMG 7 and PMG 8 are on the pmg-no-subscription repositories and will be pushed to pmg-enterprise soon.
Click to expand...
Does this mean we can update proxmox + apt-get update and all is good?
Or do we still need manual editing of master/main templates?

It's not clear. :)
 
kentur said:
Does this mean we can update proxmox + apt-get update and all is good?
Or do we still need manual editing of master/main templates?
Click to expand...
The initial post of this thread (which was updated to reflect the current state) describes it in more detail.
Put shortly: If you do not have any modifications to the postfix configuration templates the new packages will ship the proper config-templates,
which disable bare <LF> as command separators.

I hope this explains it.
 
  • Like
Reactions: kentur
Are any changes proposed for pmg-api postfix templates following the changes introduced by postfix (3.7.10-0+deb12u1)?

Code: 
  * 3.7.10
    - Security (outbound SMTP smuggling): with the default setting
      "cleanup_replace_stray_cr_lf = yes" Postfix will replace
      stray <CR> or <LF> characters in message content with a
      space character. This prevents Postfix from enabling
      outbound (remote) SMTP smuggling, and it also makes evaluation
      of Postfix-added DKIM etc. signatures independent from how
      a remote mail server handles stray <CR> or <LF> characters.
      Files: global/mail_params.h, cleanup/cleanup.c,
      cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
    - Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
      = normalize" (default "no" for Postfix < 3.9), the Postfix
      SMTP server requires the standard End-of-DATA sequence
      <CR><LF>.<CR><LF>, and otherwise allows command or message
      content lines ending in the non-standard <LF>, processing
      them as if the client sent the standard <CR><LF>.
      The alternative setting, "smtpd_forbid_bare_newline = reject"
      will reject any command or message that contains a bare
      <LF>, and is more likely to cause problems with legitimate
      clients.
      For backwards compatibility, local clients are excluded by
      default with "smtpd_forbid_bare_newline_exclusions =
      $mynetworks".
      Files: mantools/postlink, proto/postconf.proto,
      global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
      smtpd/smtpd.c, smtpd/smtpd_check.[hc].
 
keeka said:
Are any changes proposed for pmg-api postfix templates following the changes introduced by postfix (3.7.10-0+deb12u1)?
Click to expand...
The new release does not change anything fundamental in the way the mitigation works and is configured (which is why we have not released a new version of the config template yet).
the new parameter "cleanup_replace_stray_cr_lf" defaults to a more secure setting and the current "smtpd_forbid_bare_newline = yes" in the template is an alias for the newly suggested "smtpd_forbid_bare_newline = normalize" - so nothing changes there effectively.

We'll update the config template to "smtpd_forbid_bare_newline = normalize" soon - so you'll get asked what to do with your overridden template during the update, if you have adapted your main.cf template.

The smtp smuggling page of postfix has more details again:
https://www.postfix.org/smtp-smuggling.html

I hope this explains it.
 
  • Like
Reactions: keeka
Stoiko Ivanov said:
"smtpd_forbid_bare_newline = yes" in the template is an alias for the newly suggested "smtpd_forbid_bare_newline = normalize" - so nothing changes there effectively.
Click to expand...
I missed that detail. Thanks for pointing it out. I have read the postfix announcement several times over the past month or two. I guess it still didn't sink in!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back