"Impact: The "smuggled" SMTP MAIL/RCPT/DATA commands and header plus body text can be used to spoof email from any sender whose domain is hosted at email service A, to any recipient whose domain is hosted at email service B. Such email will pass SPF-based DMARC checks at email service B, because the smuggled message has a sender address that is hosted at email service A, and because the message was received from email service A." There is a workaround, but it comes with a warning about efficacy: "NOTE: This will stop only the published form of the attack. Other forms exist that will not be stopped in this manner. With all Postfix versions, "smtpd_data_restrictions = reject_unauth_pipelining" will stop the published exploit." Seems that there's no patch yet, but we can seemingly look forward to a fix in a few weeks (next year).
Fixed in Postfix 3.8.4. For background, see https://www.postfix.org/smtp-smuggling.html.
I created a bumped postfix-3.8.4.ebuild by renaming postfix-3.8.3.ebuild . This works for me. Upstream, it's recommended to add the following to /etc/postfix/main.cf to enable the new configuration option # Optionally disconnect remote SMTP clients that send bare newlines, # but allow local clients with non-standard SMTP implementations # such as netcat, fax machines, or load balancer health checks. # smtpd_forbid_bare_newline = yes smtpd_forbid_bare_newline_exclusions = $mynetworks
Created a PR for the bump that also adds an ewarn and pointer to the postfix advisory and instructions if portage can find postfix's main.cf and it does not mention smtpd_forbid_bare_newline. Maybe that doesn't belong here and should be in a news item instead.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ec1f51e1548f5ec5d9b69cb05294ab9917a3bd1 commit 6ec1f51e1548f5ec5d9b69cb05294ab9917a3bd1 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2023-12-24 21:39:43 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2023-12-24 22:01:48 +0000 mail-mta/postfix: add 3.8.4 - smtp smuggling fix Added smtpd_forbid_bare_newline and smtpd_forbid_bare_newline_exclusions to default main.cf to mitigate against email spoofing attack - smtp smuggling. We are diverging from the postfix upstream for the above two configurations. However, they will show up as config changes and the mail admins will be able to make their own decisions. This should result in minimal risk in disrupting existing mail flows. This change in the ebuild will probably not be needed for postfix-3.9 releases (not yet released). Bug: https://bugs.gentoo.org/920509 Signed-off-by: Eray Aslan <eras@gentoo.org> mail-mta/postfix/Manifest | 1 + mail-mta/postfix/postfix-3.8.4.ebuild | 303 ++++++++++++++++++++++++++++++++++ 2 files changed, 304 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94d93a6449cfd889483875c3e40de1950abf91ac commit 94d93a6449cfd889483875c3e40de1950abf91ac Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2024-01-02 15:13:24 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2024-01-02 15:13:24 +0000 mail-mta/postfix: drop 3.8.2, 3.8.3 Bug: https://bugs.gentoo.org/920509 Signed-off-by: Eray Aslan <eras@gentoo.org> mail-mta/postfix/Manifest | 2 - mail-mta/postfix/postfix-3.8.2.ebuild | 297 ---------------------------------- mail-mta/postfix/postfix-3.8.3.ebuild | 297 ---------------------------------- 3 files changed, 596 deletions(-)