mailcow
Update Postfix Configuration to prevent CHUNKING / BDAT vulnerability
Summary
As fixed in Report #5613 postfix has changed the keyword to prevent the CHUNKING BDAT attack from
smtpd_forbid_bare_newline = yes
to:
smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks
the forementioned smtpd_forbid_bare_newline = yes is still working but is now an alias.
Documentation from Wietse: https://www.postfix.org/smtp-smuggling.html
Please adjust if possible.
Thanks
Motivation
update the configuration to match the postfix recommendation / syntax.
Additional context
No response
@DerLinkman we have updated to 3.8.5, 3.7.10, 3.6.14 and 3.5.24?
The older setting "[smtpd_forbid_bare_newline](https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline) = yes" is now an alias for "[smtpd_forbid_bare_newline](https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline) = normalize".
If we would update it would just start work in new way out of box. We can change this later, main point to have up to date postfix here.
Seems postfix in such versions are not in Debian repos yet. We use bullseye hence latest version is 3.5.23 Even in bookworm it's 3.7.6 or 3.7.9
Trixie has 3.8.5, generally unstable / testing is stable enough… :woman_shrugging: And I guess bookworm-updates will soon have the Trixie version.
Any clues why we use Debian and not Alpine for Postfix? Debian is slow turtle, sorry...
Hehe good point I've just began porting postfix to alpine within mailcow today as i asked this question myself
Any clues why we use Debian and not Alpine for Postfix?
I recall @andryyy had good reasons for this for example here is one, there are probably others, I'd suggest doing a lot of testing before making this switch for production.
That's six years old. Alpine has changed a lot so I wouldn't play that card. However testing is important as it was for Dovecot.
Changing the base is nothing you do just because you like x better than y. Or whatever reason that’s not backed by a solid point.
It broke Postfix (some weird TLS issue) back then.
Just clicking around a bit is not a valid test, just saying.
Any if it works and has not failed on the past… well. Given the project size I preferred to not play around back then.
Sad cow is sad. Should fork and fix.
Do what you want. We do what we want. If it's good it's good. If not it's not. Just saying
Regarding the question asked above by @dragoangel:
we have updated to 3.8.5, 3.7.10, 3.6.14 and 3.5.24?
Debian Bullseye 11.9 was released yesterday and it includes Postfix 3.5.24:
postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764]
Also Debian Bookworm 12.5 was released yesterday and it includes Postfix 3.7.10:
postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764]
@chriscroome but time till they got updated quite not quick and non of them include fresh postfix, this is my point. We could same way used rspamd from debian repo in debian image, but we doesn't go that way as it too old, we using pre build deb packages, from this view we don't have such alternative to postfix, so I think it's better just switch base distro if no blockers exist. From raw view I don't see any of them
Somewhat related to CHUNKING, could you please change:
smtpd_discard_ehlo_keywords = chunking
to this one:
# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent-discard
I don't want to see "discarding EHLO keywords: CHUNKING" everytime I get a connection in my Postfix log ;)
More details here: https://www.postfix.org/BDAT_README.html
Somewhat related to CHUNKING, could you please change:
smtpd_discard_ehlo_keywords = chunkingto this one:
# The non-logging alternative: smtpd_discard_ehlo_keywords = chunking, silent-discardI don't want to see "discarding EHLO keywords: CHUNKING" everytime I get a connection in my Postfix log ;)
More details here: https://www.postfix.org/BDAT_README.html
As this change can be implemented, why just not create a PR?:)