SMTP Smuggling mitigation

  • Like
Reactions: Bob.Dig
Stoiko Ivanov said:
We'll test this internally and will update the templates to use this on the external port if the tests are successful.
Click to expand...
Our preliminary tests were successful:
* the new postfix versions are available in the bookworm-updates (and bullseye-updates) repositories: https://wiki.debian.org/StableUpdates
* these repositories are enabled by default in all installations from the ISO (at least since PMG 6.0) and the appliance template
* an updated version of pmg-api for PMG 8 (8.0.11) is available in the pmgtest repository
* we'll provide the updated template for PMG 7 soon
* the initial post of this thread has been updated to reflect the current situation
 
  • Like
Reactions: Bob.Dig
A version with the long-term fix is now also available for PMG 7.
Packages for both PMG 7 and PMG 8 are on the pmg-no-subscription repositories and will be pushed to pmg-enterprise soon.
 
Stoiko Ivanov said:
A version with the long-term fix is now also available for PMG 7.
Packages for both PMG 7 and PMG 8 are on the pmg-no-subscription repositories and will be pushed to pmg-enterprise soon.
Click to expand...
Does this mean we can update proxmox + apt-get update and all is good?
Or do we still need manual editing of master/main templates?

It's not clear. :)
 
kentur said:
Does this mean we can update proxmox + apt-get update and all is good?
Or do we still need manual editing of master/main templates?
Click to expand...
The initial post of this thread (which was updated to reflect the current state) describes it in more detail.
Put shortly: If you do not have any modifications to the postfix configuration templates the new packages will ship the proper config-templates,
which disable bare <LF> as command separators.

I hope this explains it.
 
  • Like
Reactions: kentur
Are any changes proposed for pmg-api postfix templates following the changes introduced by postfix (3.7.10-0+deb12u1)?

Code: 
  * 3.7.10
    - Security (outbound SMTP smuggling): with the default setting
      "cleanup_replace_stray_cr_lf = yes" Postfix will replace
      stray <CR> or <LF> characters in message content with a
      space character. This prevents Postfix from enabling
      outbound (remote) SMTP smuggling, and it also makes evaluation
      of Postfix-added DKIM etc. signatures independent from how
      a remote mail server handles stray <CR> or <LF> characters.
      Files: global/mail_params.h, cleanup/cleanup.c,
      cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
    - Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
      = normalize" (default "no" for Postfix < 3.9), the Postfix
      SMTP server requires the standard End-of-DATA sequence
      <CR><LF>.<CR><LF>, and otherwise allows command or message
      content lines ending in the non-standard <LF>, processing
      them as if the client sent the standard <CR><LF>.
      The alternative setting, "smtpd_forbid_bare_newline = reject"
      will reject any command or message that contains a bare
      <LF>, and is more likely to cause problems with legitimate
      clients.
      For backwards compatibility, local clients are excluded by
      default with "smtpd_forbid_bare_newline_exclusions =
      $mynetworks".
      Files: mantools/postlink, proto/postconf.proto,
      global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
      smtpd/smtpd.c, smtpd/smtpd_check.[hc].
 
keeka said:
Are any changes proposed for pmg-api postfix templates following the changes introduced by postfix (3.7.10-0+deb12u1)?
Click to expand...
The new release does not change anything fundamental in the way the mitigation works and is configured (which is why we have not released a new version of the config template yet).
the new parameter "cleanup_replace_stray_cr_lf" defaults to a more secure setting and the current "smtpd_forbid_bare_newline = yes" in the template is an alias for the newly suggested "smtpd_forbid_bare_newline = normalize" - so nothing changes there effectively.

We'll update the config template to "smtpd_forbid_bare_newline = normalize" soon - so you'll get asked what to do with your overridden template during the update, if you have adapted your main.cf template.

The smtp smuggling page of postfix has more details again:
https://www.postfix.org/smtp-smuggling.html

I hope this explains it.
 
  • Like
Reactions: keeka
Stoiko Ivanov said:
"smtpd_forbid_bare_newline = yes" in the template is an alias for the newly suggested "smtpd_forbid_bare_newline = normalize" - so nothing changes there effectively.
Click to expand...
I missed that detail. Thanks for pointing it out. I have read the postfix announcement several times over the past month or two. I guess it still didn't sink in!
 
You must log in or register to reply here.
Top Bottom