Wietse Venema via Postfix-users:
> Damian via Postfix-users:
> > > The recommended settings are:
> > >
> > >
> > >
> > >
> > > # Optionally disconnect remote SMTP clients that send bare newlines,
> > > # but allow local clients with non-standard SMTP implementations
> > > # such as netcat, fax machines, or load balancer health checks.
> > > #
> > > smtpd_forbid_bare_newline = yes
> > > smtpd_forbid_bare_newline_exclusions = $mynetworks
> >
> >
> > The test tool [1] revealed that my 3.7.9 Postfix using
> > `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case.
> > One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to
> > close that one as well.
> >
> > [1] https://github.com/The-Login/SMTP-Smuggling-Tools.git
>
> Postfix with the fix does not treat \r\n.\n as an End-of-DATA.
>
> Nor does it treat \r\n.\r as End-of-DATA.
>
> When I send message content with \r\n.\r, it arrives as message
> content with \r at the beginning of a line. It does not terminate
> DATA and does not enable smuggling.
Just for kicks, I tried \r\n.\r and it would not even smuggle with
unpatched Postfix (smtpd_forbid_bare_newline = no).
Wietse
> Sent as one SMTP mail transaction:
>
> [omitted: ehlo, mail from, rcpt to, data]
> non-smuggled text ending in\r\n
> .\r
> mail from:<>\r\n
> rcpt to:<recipient>\r\n
> data\r\n
> other text lines ending in\r\n
> .\r\n
>
> Delivered by Postfix as one email messages with SMTP commands in the middle:
>
> non-smuggled text
> \rmail from:<>
> rcpt to:<recipient>
> data
> [other text]
>
> In other words, I need to see proff in the form of a PCAP file and
> NON-VERBOSE logging, or it did not happen.
>
> Wietse
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
