Menü Schließen

Postfix Security Release 3.8.5 – 3.7.10 – 3.6.14 – 3.5.24

Postfix - Logo

Der Mail Transfer Agent (MTA) für Linux und Unix Postfix erhielt ein Security und Bugfix Release in den Versionen 3.8.5, 3.7.10, 3.6.14 und 3.5.24.

Postfix 3.8.5 – 3.7.10 – 3.6.14 – 3.5.24 Release Notes

Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html.

The improvements provide better logging, and better compatibility with existing SMTP clients (less need to allowlist clients).

Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure.

The recommended settings are:

# Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
#
# This maintains compatibility with many legitimate SMTP client
# applications that send a mix of standard and non-standard line
# endings, but will fail to receive email from client implementations
# that do not terminate DATA content with the standard End-of-DATA
# sequence <CR><LF>.<CR><LF>.
#
# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
# The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks

Notes:

  • The default setting is „smtpd_forbid_bare_newline = no“ in Postfix releases < 3.9, for compatibility reasons. This means that Postfix is by default vulnerable to SMTP smuggling.
  • The new setting „smtpd_forbid_bare_newline = normalize“ is the default for Postfix releases 3.9 and later.
  • The old setting „smtpd_forbid_bare_newline = yes“ is now an alias for „smtpd_forbid_bare_newline = normalize“.
  • The new setting „smtpd_forbid_bare_newline = reject“ will refuse commands or message content with a bare newline. For details see the RELEASE_NOTES or the postconf(5) documentation.

Quelle: https://www.postfix.org/announcements/postfix-3.8.5.html

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert