Summary: | <mail-mta/postfix-3.8.4: SMTP smuggling | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | minor | CC: | conikost, eras, hlein, jaak, williamh |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.postfix.org/smtp-smuggling.html | ||
See Also: |
https://github.com/gentoo/gentoo/pull/34433 https://bugs.gentoo.org/show_bug.cgi?id=921520 https://bugs.gentoo.org/show_bug.cgi?id=921521 |
||
Whiteboard: | B4 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 920673 | ||
Bug Blocks: |
Description
John Helmert III
2023-12-22 01:02:08 UTC
Fixed in Postfix 3.8.4. For background, see https://www.postfix.org/smtp-smuggling.html. I created a bumped postfix-3.8.4.ebuild by renaming postfix-3.8.3.ebuild . This works for me. Upstream, it's recommended to add the following to /etc/postfix/main.cf to enable the new configuration option # Optionally disconnect remote SMTP clients that send bare newlines, # but allow local clients with non-standard SMTP implementations # such as netcat, fax machines, or load balancer health checks. # smtpd_forbid_bare_newline = yes smtpd_forbid_bare_newline_exclusions = $mynetworks Created a PR for the bump that also adds an ewarn and pointer to the postfix advisory and instructions if portage can find postfix's main.cf and it does not mention smtpd_forbid_bare_newline. Maybe that doesn't belong here and should be in a news item instead. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ec1f51e1548f5ec5d9b69cb05294ab9917a3bd1 commit 6ec1f51e1548f5ec5d9b69cb05294ab9917a3bd1 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2023-12-24 21:39:43 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2023-12-24 22:01:48 +0000 mail-mta/postfix: add 3.8.4 - smtp smuggling fix Added smtpd_forbid_bare_newline and smtpd_forbid_bare_newline_exclusions to default main.cf to mitigate against email spoofing attack - smtp smuggling. We are diverging from the postfix upstream for the above two configurations. However, they will show up as config changes and the mail admins will be able to make their own decisions. This should result in minimal risk in disrupting existing mail flows. This change in the ebuild will probably not be needed for postfix-3.9 releases (not yet released). Bug: https://bugs.gentoo.org/920509 Signed-off-by: Eray Aslan <eras@gentoo.org> mail-mta/postfix/Manifest | 1 + mail-mta/postfix/postfix-3.8.4.ebuild | 303 ++++++++++++++++++++++++++++++++++ 2 files changed, 304 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94d93a6449cfd889483875c3e40de1950abf91ac commit 94d93a6449cfd889483875c3e40de1950abf91ac Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2024-01-02 15:13:24 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2024-01-02 15:13:24 +0000 mail-mta/postfix: drop 3.8.2, 3.8.3 Bug: https://bugs.gentoo.org/920509 Signed-off-by: Eray Aslan <eras@gentoo.org> mail-mta/postfix/Manifest | 2 - mail-mta/postfix/postfix-3.8.2.ebuild | 297 ---------------------------------- mail-mta/postfix/postfix-3.8.3.ebuild | 297 ---------------------------------- 3 files changed, 596 deletions(-) |