Damian via Postfix-users:
> > The recommended settings are:
> >
> >
> >
> >
> > # Optionally disconnect remote SMTP clients that send bare newlines,
> > # but allow local clients with non-standard SMTP implementations
> > # such as netcat, fax machines, or load balancer health checks.
> > #
> > smtpd_forbid_bare_newline = yes
> > smtpd_forbid_bare_newline_exclusions = $mynetworks
>
>
> The test tool [1] revealed that my 3.7.9 Postfix using
> `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case.
> One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close
> that one as well.
>
> [1] https://github.com/The-Login/SMTP-Smuggling-Tools.git
Postfix with the fix does not treat \r\n.\n as an End-of-DATA.
Nor does it treat \r\n.\r as End-of-DATA.
When I send message content with \r\n.\r, it arrives as message
content with \r at the beginning of a line. It does not terminate
DATA and does not enable smuggling.
Sent as one SMTP mail transaction:
[omitted: ehlo, mail from, rcpt to, data]
non-smuggled text ending in\r\n
.\r
mail from:<>\r\n
rcpt to:<recipient>\r\n
data\r\n
other text lines ending in\r\n
.\r\n
Delivered by Postfix as one email messages with SMTP commands in the middle:
non-smuggled text
\rmail from:<>
rcpt to:<recipient>
data
[other text]
In other words, I need to see proff in the form of a PCAP file and
NON-VERBOSE logging, or it did not happen.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
