As part of a non-responsible disclosure process, SEC Consult has published an email spoofing attack that involves a composition of different mail service behaviors with respect to broken line endings.
A short-term fix may deployed now, before the upcoming long holiday: - Postfix 3.9 (stable release early 2024), rejects unuthorised pipelining by default: "smtpd_forbid_unauth_pipelining = yes". - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature, but the "smtpd_forbid_unauth_pipelining" parameter defaults to "no". Setting "smtpd_forbid_unauth_pipelining = yes" may break legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare, especially when email is sent across the Internet. This short-term fix will stop the published form of the attack, but other forms exist that will not be stopped in this manner. The longer-term fix stops all forms of the smuggling attacks and is in testing. For most sites, this fix will be too late for deployment before a long holiday break, when typically production changes are not allowed until January. Timeline: Dec 18 SEC Consult publishes an attack (composition of mail service behaviors) Dec 19 Implement fix for Postfix, start testing and Q/A Dec ?? Publish updated stable Postfix versions 3.8, 3.7, 3.6, 3.5 Dec 23 First day of a 10+ day holiday break and production freeze References: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
