From patchwork Tue Dec 26 13:10:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7412 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4SzwBT72Gzz3wmh for ; Tue, 26 Dec 2023 13:10:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4SzwBM745lzmG; Tue, 26 Dec 2023 13:10:51 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4SzwBM6QmHz30X0; Tue, 26 Dec 2023 13:10:51 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4SzwBC3SWzz30Px for ; Tue, 26 Dec 2023 13:10:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4SzwBB6r7Bz1CQ; Tue, 26 Dec 2023 13:10:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1703596243; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qg6TEaFNuePWw9gWkOb2MRQd2W7pCss7PHZn2MMV9v8=; b=2yO9FSyvURvMpUCoyOM/+MJ7+Wg+jF4Jx6Bz3nYl/WJZh3OlSbSiC4gukjEpxQ4PzyWMak FxmDpJ9EWJWKk5Aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1703596243; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qg6TEaFNuePWw9gWkOb2MRQd2W7pCss7PHZn2MMV9v8=; b=NHKkPksnRskNyin4C8k7gYeq3SPbMgFE2kbL2yEMESXKH4oSVprVlVZetbyY58f8iIxxjd vi2fY6vMuHXmUla1kkvxm/WSx4Lr8u/yz/fD6W7YZ4+66VGmq1f56V9M0Gy8DxcKrwmgtN qDdeYyRgM+IQNklpC9GHQZUO5NItWoXbNaesXFgPaRV+7YiIiZgHSpbRZKU+vQMpXn9Lx2 nl1tvnp0na/wEjdIPNwfM0ycVhvZPf8k6JTKqxSNzFAFBW/Ih6JiOh+1kjhpuE8K25MO+2 Wb9czGvPNCuJ/pF/VRUgb2khzdjPR1i9lYIClFVpDw0pBafSikTqMnjm9gD67A== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] postfix: Update to version 3.8.4 + prevent smtp smuggling Date: Tue, 26 Dec 2023 14:10:34 +0100 Message-ID: <20231226131036.3260423-3-adolf.belka@ipfire.org> In-Reply-To: <20231226131036.3260423-1-adolf.belka@ipfire.org> References: <20231226131036.3260423-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: FN5LPEYAF556QTF7X2RREPWI3KGRE5SZ X-Message-ID-Hash: FN5LPEYAF556QTF7X2RREPWI3KGRE5SZ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 3.8.3 to 3.8.4 - Update of rootfile not required - Permanent fix for smtp smuggling will be in version 3.9. However the fix has been backported into version 3.8.4 but with the default for the parameter of "no". - This patch sets the defaults for all the main.cf parameters highlighted by Wietse Venema in http://www.postfix.org/smtp-smuggling.html - Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to the install.sh pak for postfix so that it will be included into any main.cf file being restored from backup. This parameter is available for the first time in 3.8.4 so will not be in any backup prior to this release and can therefore be safely applied to restored versions of main.cf. - This fix in install.sh will be able to be removed when version 3.9 is released early in 2024 as the default for that parameter in that version onwards will then be "yes" - Changelog 3.8.4 Security: with "smtpd_forbid_bare_newline = yes" (default "no" for Postfix < 3.9), reply with "Error: bare received" and disconnect when an SMTP client sends a line ending in , violating the RFC 5321 requirement that lines must end in . This prevents SMTP smuggling attacks that target a recipient at a Postfix server. For backwards compatibility, local clients are excluded by default with "smtpd_forbid_bare_newline_exclusions = $mynetworks". Files: mantools/postlink, proto/postconf.proto, global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h, smtpd/smtpd.c. Signed-off-by: Adolf Belka Reviewed-by: Peter Müller --- lfs/postfix | 15 +++++++++++---- src/paks/postfix/install.sh | 5 +++++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/lfs/postfix b/lfs/postfix index aab683f4c..7f2625a4e 100644 --- a/lfs/postfix +++ b/lfs/postfix @@ -26,7 +26,7 @@ include Config SUMMARY = A fast, secure, and flexible mailer -VER = 3.8.3 +VER = 3.8.4 THISAPP = postfix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = postfix -PAK_VER = 43 +PAK_VER = 44 DEPS = @@ -70,7 +70,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a656606c2a46671548cb954a65d769ba5bf68a5c8f0ccdc0e753b03386956eef3e264b696a306c586f1df1b06fb173e5f3db74c6a9e4d3686c86b8f53be585ed +$(DL_FILE)_BLAKE2 = 200ce3d72444da05e42fc8627002d53d68c1b3d78b7f74b0130ac958c23d16454783ef4849a8c9a4e3cba8ae36646e921f7e94ac4fb819b597e1a5ab1a875272 install : $(TARGET) @@ -110,13 +110,20 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && sh postfix-install -non-interactive ## Install configuration rm -vf /etc/postfix/main.cf.default + + # update main.cf parameters to prevent smtp smuggling attack + postconf -e 'smtpd_forbid_bare_newline = yes' + postconf -e 'smtpd_forbid_unauth_pipelining = yes' + postconf -e 'smtpd_data_restrictions = reject_unauth_pipelining' + postconf -e 'smtpd_discard_ehlo_keywords = chunking' + mkdir -p /var/lib/postfix chown postfix.root /var/lib/postfix install -v -m 644 $(DIR_SRC)/config/backup/includes/postfix \ /var/ipfire/backup/addons/includes/postfix mv /usr/sbin/sendmail /usr/sbin/sendmail.postfix - + #install initscripts $(call INSTALL_INITSCRIPTS,$(SERVICES)) diff --git a/src/paks/postfix/install.sh b/src/paks/postfix/install.sh index 1629d21c1..2e04e74a8 100644 --- a/src/paks/postfix/install.sh +++ b/src/paks/postfix/install.sh @@ -24,6 +24,11 @@ . /opt/pakfire/lib/functions.sh extract_files restore_backup ${NAME} + +# change main.cf parameter from default value to prevent smtp smuggling attack +# will not be required once postfix-3.9.x is released as default will then be yes +postconf -e 'smtpd_forbid_bare_newline = yes' + postalias /etc/aliases # Set postfix's hostname postconf -e "myhostname=$(hostname -f)"