Wietse Venema via Postfix-users: > Damian via Postfix-users: > > > The recommended settings are: > > > > > > > > > > > > > > > # Optionally disconnect remote SMTP clients that send bare newlines, > > > # but allow local clients with non-standard SMTP implementations > > > # such as netcat, fax machines, or load balancer health checks. > > > # > > > smtpd_forbid_bare_newline = yes > > > smtpd_forbid_bare_newline_exclusions = $mynetworks > > > > > > The test tool [1] revealed that my 3.7.9 Postfix using > > `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case. > > One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to > > close that one as well. > > > > [1] https://github.com/The-Login/SMTP-Smuggling-Tools.git > > Postfix with the fix does not treat \r\n.\n as an End-of-DATA. > > Nor does it treat \r\n.\r as End-of-DATA. > > When I send message content with \r\n.\r, it arrives as message > content with \r at the beginning of a line. It does not terminate > DATA and does not enable smuggling.
Just for kicks, I tried \r\n.\r and it would not even smuggle with unpatched Postfix (smtpd_forbid_bare_newline = no). Wietse > Sent as one SMTP mail transaction: > > [omitted: ehlo, mail from, rcpt to, data] > non-smuggled text ending in\r\n > .\r > mail from:<>\r\n > rcpt to:<recipient>\r\n > data\r\n > other text lines ending in\r\n > .\r\n > > Delivered by Postfix as one email messages with SMTP commands in the middle: > > non-smuggled text > \rmail from:<> > rcpt to:<recipient> > data > [other text] > > In other words, I need to see proff in the form of a PCAP file and > NON-VERBOSE logging, or it did not happen. > > Wietse > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org