Damian via Postfix-users:
> > It really does not matter much, but leaving BDAT enabled can help in
> > some cases. It is not necessary to go this deep down the rabbit hole.
>
> So what could be smuggled into a Postfix that defines
> "reject_unauth_pipelining" but does not define
> "smtpd_discard_ehlo_keywords = chunking"?
It depends on whether your are talking about the BDAT or DATA
commands that are used to deliver the message with the smuggled
commands and text, or about the smuggled BDAT or DATA commands.
The smuggling attack won't work when the sending MTA and receiving
MTA support BDAT, and the sending MTA prefers using BDAT over DATA.
When the sending MTA chooses to use DATA, the smuggled commands can
still use BDAT or DATA. This time, the choice is made by the attacker,
and it depends only on the receiving MTA capabilities.
With a smuggled DATA command, the attack can trigger a command
pipelining violation, because the sending MTA will not wait between
sending the smuggled DATA command and the smuggled text (but see
notes below).
With a smuggled BDAT command, there is no pipelining violation.
This is why the current short-term fix recommends to not announce
CHUNKING support.
Note 1: an attacker can use their own custom MTA that waits after
sending the smuggled DATA command, but then they can no longer send
the attack from an IP address that passes SPF-based DMARC checks
for the sender that they wish to impersonate.
Note 2: an attacker can place the smuggled DATA\r\n at the end of
a network packet, and cause network congestion in the hope that
there will be some delay between receiving the smuggled DATA command
and the smuggled text. But that is a blind attack. The sending MTA
ignores any error responses that the receiving MTA sends after the
"ok" response to the fake end-of-message.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
