On Wed, Dec 20, 2023 at 14:49:20 +0000, Gellner, Oliver via mailop wrote: > Postfix is potentially vulnerable as for compatibility with broken > clients it accepts <LF>.<LF> as an end-of-data command. Well, at least > it did, Wietse has introduced a flag which fixes this kind of message > smuggling: > > > Protocol enforcement: with "smtpd_forbid_bare_newline = > > yes" (the default for Postfix 3.9), reply with "Error: bare > > <LF> received" and disconnect when an SMTP client sends a > > line ending in <LF>, violating the RFC 5321 requirement > > that lines must end in <CR><LF>. Files: mantools/postlink, > > proto/postconf.proto, global/mail_params.h, global/smtp_stream.c, > > global/smtp_stream.h, smtpd/smtpd.c. > > It will be available in the next releases for the 3.5 to 3.9 versions, > although the new flag will be disabled on all versions except 3.9 by > default.
For more info on Postfix fixes and timeline, see: https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html Geert _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
