Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 920509 (CVE-2023-51764)

Summary: <mail-mta/postfix-3.8.4: SMTP smuggling
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: conikost, eras, hlein, jaak, williamh
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 920673    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-22 01:02:08 UTC
"Impact: The "smuggled" SMTP MAIL/RCPT/DATA commands and
header plus body text can be used to spoof email from any sender whose
domain is hosted at email service A, to any recipient whose domain is
hosted at email service B. Such email will pass SPF-based DMARC checks
at email service B, because the smuggled message has a sender address
that is hosted at email service A, and because the message was
received from email service A."

There is a workaround, but it comes with a warning about efficacy:

"NOTE: This will stop only the published form of the attack. Other forms exist that will not be stopped in this manner.

    With all Postfix versions, "smtpd_data_restrictions = reject_unauth_pipelining" will stop the published exploit."

Seems that there's no patch yet, but we can seemingly look forward to
a fix in a few weeks (next year).
Comment 1 Raznan 2023-12-22 17:16:52 UTC
Fixed in Postfix 3.8.4. For background, see
Comment 2 Guido Jäkel 2023-12-22 20:04:25 UTC
I created a bumped postfix-3.8.4.ebuild by renaming postfix-3.8.3.ebuild . This works for me.

Upstream, it's recommended to add the following to /etc/postfix/ to enable the new configuration option

    # Optionally disconnect remote SMTP clients that send bare newlines,
    # but allow local clients with non-standard SMTP implementations
    # such as netcat, fax machines, or load balancer health checks.
    smtpd_forbid_bare_newline = yes
    smtpd_forbid_bare_newline_exclusions = $mynetworks
Comment 3 Hank Leininger 2023-12-22 23:10:10 UTC
Created a PR for the bump that also adds an ewarn and pointer to the postfix advisory and instructions if portage can find postfix's and it does not mention smtpd_forbid_bare_newline. Maybe that doesn't belong here and should be in a news item instead.
Comment 4 Larry the Git Cow gentoo-dev 2023-12-24 22:01:56 UTC
The bug has been referenced in the following commit(s):

commit 6ec1f51e1548f5ec5d9b69cb05294ab9917a3bd1
Author:     Eray Aslan <>
AuthorDate: 2023-12-24 21:39:43 +0000
Commit:     Eray Aslan <>
CommitDate: 2023-12-24 22:01:48 +0000

    mail-mta/postfix: add 3.8.4 - smtp smuggling fix
    Added smtpd_forbid_bare_newline and smtpd_forbid_bare_newline_exclusions
    to default to mitigate against email spoofing attack - smtp
    We are diverging from the postfix upstream for the above two
    configurations. However, they will show up as config changes and the
    mail admins will be able to make their own decisions. This should result
    in minimal risk in disrupting existing mail flows.
    This change in the ebuild will probably not be needed for postfix-3.9
    releases (not yet released).
    Signed-off-by: Eray Aslan <>

 mail-mta/postfix/Manifest             |   1 +
 mail-mta/postfix/postfix-3.8.4.ebuild | 303 ++++++++++++++++++++++++++++++++++
 2 files changed, 304 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2024-01-02 15:13:48 UTC
The bug has been referenced in the following commit(s):

commit 94d93a6449cfd889483875c3e40de1950abf91ac
Author:     Eray Aslan <>
AuthorDate: 2024-01-02 15:13:24 +0000
Commit:     Eray Aslan <>
CommitDate: 2024-01-02 15:13:24 +0000

    mail-mta/postfix: drop 3.8.2, 3.8.3
    Signed-off-by: Eray Aslan <>

 mail-mta/postfix/Manifest             |   2 -
 mail-mta/postfix/postfix-3.8.2.ebuild | 297 ----------------------------------
 mail-mta/postfix/postfix-3.8.3.ebuild | 297 ----------------------------------
 3 files changed, 596 deletions(-)