[pfx] Re: SMTP Smuggling with long-term fix
Hi Yest this is e-mails body from test - only when sender domain have SPF set ~all or SPF not exist W dniu 8.01.2024 o 15:08, Damian via Postfix-users pisze: SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence! Are those really standalone emails with subject "SMUGGLED EMAIL ..."? If they are, I cannot reproduce that even with disabled short-term workarounds. ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence! Are those really standalone emails with subject "SMUGGLED EMAIL ..."? If they are, I cannot reproduce that even with disabled short-term workarounds.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
I'm running on Ubuntu 22 which ships postfix 3.6.4 . I've tried the short term solution, but this test tool still can send forged emails: $ postconf -n | grep -E "smtpd_data_restrictions|smtpd_discard_ehlo_keywords" smtpd_data_restrictions = reject_unauth_pipelining smtpd_discard_ehlo_keywords = chunking, silent-discard Is there anything I can do? KR, Gino Sent with Proton Mail secure email. On Saturday, January 6th, 2024 at 11:38 AM, Damian via Postfix-users wrote: > > The recommended settings are: > > > > # Optionally disconnect remote SMTP clients that send bare newlines, > > # but allow local clients with non-standard SMTP implementations > > # such as netcat, fax machines, or load balancer health checks. > > # > > smtpd_forbid_bare_newline = yes > > smtpd_forbid_bare_newline_exclusions = $mynetworks > > > > The test tool [1] revealed that my 3.7.9 Postfix using > `smtpd_forbid_bare_newline = yes` admits smuggling for the `\\r\\n.\\n` case. > One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close > that one as well. > > [1] https://github.com/The-Login/SMTP-Smuggling-Tools.git > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
W dniu 8.01.2024 o 13:35, Damian via Postfix-users pisze: I create test VPS (outside my infrastructure) and install all for python3 for testing root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain gmail.com piot...@mydomain.ltd Don't use a sender-domain you don't have control over. The default should be good enough for basic smuggling tests. yes I will remember Sorry its correct for "Short-term workarounds" ? You should have received various emails with subject "CHECK EMAIL ...". If you have not received additional emails with subject "SMUGGLED EMAIL ..." then your short-term workarounds are doing their job. I get some SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence! ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
I create test VPS (outside my infrastructure) and install all for python3 for testing root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain gmail.com piot...@mydomain.ltd Don't use a sender-domain you don't have control over. The default should be good enough for basic smuggling tests. Sorry its correct for "Short-term workarounds" ? You should have received various emails with subject "CHECK EMAIL ...". If you have not received additional emails with subject "SMUGGLED EMAIL ..." then your short-term workarounds are doing their job.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
Hi
Sorry for stupid question but I dont realy undarstand
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain gmail.com
piot...@mydomain.ltd
[*] Getting MX record for domain: xx
[*] Running SMTP smuggling check!
[+] Sent smuggling e-mail for end-of-data sequence '\n.\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\n.\r'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r.\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r.\r'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\n.\r\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r.\r\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r\n\x00.\r\n'!
Check your inbox!
In my MX I use postfix-3.4.x and main.cf like:
...
smtpd_data_restrictions =
#postfwd
check_policy_service { inet:127.0.0.1:10040 timeout=2s,
default_action=DUNNO }
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
smtpd_discard_ehlo_keywords = chunking, silent-discard
...
And I get all alow delivery without two test:
\\n.\\n
\\n.\\r\\n
Jan 8 13:03:29 maitest postfix/smtpd[21417]: improper command
pipelining after DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: From:
smugg...@gmail.com\r\nTo: piot...@domain.ltd \r\nSubject: SMUGGLED EMAIL
('\\n.\\n')\r\nDate: Mo
Jan 8 13:03:29 mailtest postfix/smtpd[21417]: 4T7t4d2GKnz3mhqr: reject:
DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: 503 5.5.0 : Data
command rejected: Improper use of SMTP command pipelining;
from= to= proto=ESMTP
helo=
Jan 8 13:03:51 mailtest postfix/smtpd[21416]: improper command
pipelining after DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: From:
smugg...@gmail.com\r\nTo: piot...@domain.ltd\r\nSubject: SMUGGLED EMAIL
('\\n.\\r\\n')\r\nDate:
Jan 8 13:03:51 mailtest postfix/smtpd[21416]: 4T7t530077z3mhqs: reject:
DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: 503 5.5.0 : Data
command rejected: Improper use of SMTP command pipelining;
from= to= proto=ESMTP
helo=
Sorry its correct for "Short-term workarounds" ?
When I use domain with hard SPF reject - all was rejected (Rejected at
spf level)
[1] https://github.com/The-Login/SMTP-Smuggling-Tools.git
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
On Sat, Jan 06, 2024 at 20:10:34 -0500, Wietse Venema via Postfix-users wrote: > People are welcome to test tools against postfix-3.9-20240106. With postfix-3.9-20240106 (with smtpd_forbid_bare_newline=yes but smtpd_forbid_unauth_pipelining=no) all smuggling tests now fail, including CRCRL tests. https://github.com/The-Login/SMTP-Smuggling-Tools Geert ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
People are welcome to test tools against postfix-3.9-20240106. I could test against a 3.7.9 codebase if you posted a patch for it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
People are welcome to test tools against postfix-3.9-20240106. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
On Sat, Jan 06, 2024 at 14:47:59 -0500, Wietse Venema via Postfix-users wrote: > Damian: > > If I remember correctly, on the wire there was \r\n\r\n.\r\r\n > > Viktor Dukhovni: > > Does that also need to be more strict? :-( > > Indeed, and as usual the fix is trivial. This process is backwards, > it is what we get with publication before the analysis, tooling, > and software fixes are complete. Extended the author's test suite with "CRCRLF" tests and indeed they pass: https://github.com/The-Login/SMTP-Smuggling-Tools/pull/4 (with smtpd_forbid_bare_newline=yes but smtpd_forbid_unauth_pipelining=no) Geert ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
Damian: > If I remember correctly, on the wire there was \r\n\r\n.\r\r\n Viktor Dukhovni: > Does that also need to be more strict? :-( Indeed, and as usual the fix is trivial. This process is backwards, it is what we get with publication before the analysis, tooling, and software fixes are complete. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
On 6 Jan 2024, at 12:04 pm, Damian via Postfix-users wrote: > > If I remember correctly, on the wire there was \r\n\r\n.\r\r\n > > I will assemble a pcap and some logs when I'm back home. That's expected, Postfix will accept one *or more* CRs before LF as CRLF. https://github.com/vdukhovni/postfix/blob/d2d9daf4d1b5e8cec47bd7434264f92b4fe1ba30/postfix/src/global/smtp_stream.c#L437-L438 Does that also need to be more strict? :-( -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
If I remember correctly, on the wire there was \r\n\r\n.\r\r\n I will assemble a pcap and some logs when I'm back home. > In other words, I need to see proff in the form of a PCAP file and > NON-VERBOSE logging, or it did not happen. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
BTW All smuggling tests are invalid when the client is allowlisted with smtpd_forbid_bare_newline_exclusions (default: $mynetworks). Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
Wietse Venema via Postfix-users: > Damian via Postfix-users: > > > The recommended settings are: > > > > > > > > > > > > > > > # Optionally disconnect remote SMTP clients that send bare newlines, > > > # but allow local clients with non-standard SMTP implementations > > > # such as netcat, fax machines, or load balancer health checks. > > > # > > > smtpd_forbid_bare_newline = yes > > > smtpd_forbid_bare_newline_exclusions = $mynetworks > > > > > > The test tool [1] revealed that my 3.7.9 Postfix using > > `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case. > > One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to > > close that one as well. > > > > [1] https://github.com/The-Login/SMTP-Smuggling-Tools.git > > Postfix with the fix does not treat \r\n.\n as an End-of-DATA. > > Nor does it treat \r\n.\r as End-of-DATA. > > When I send message content with \r\n.\r, it arrives as message > content with \r at the beginning of a line. It does not terminate > DATA and does not enable smuggling. Just for kicks, I tried \r\n.\r and it would not even smuggle with unpatched Postfix (smtpd_forbid_bare_newline = no). Wietse > Sent as one SMTP mail transaction: > > [omitted: ehlo, mail from, rcpt to, data] > non-smuggled text ending in\r\n > .\r > mail from:<>\r\n > rcpt to:\r\n > data\r\n > other text lines ending in\r\n > .\r\n > > Delivered by Postfix as one email messages with SMTP commands in the middle: > > non-smuggled text > \rmail from:<> > rcpt to: > data > [other text] > > In other words, I need to see proff in the form of a PCAP file and > NON-VERBOSE logging, or it did not happen. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
Damian via Postfix-users: > > The recommended settings are: > > > > > > > > > > # Optionally disconnect remote SMTP clients that send bare newlines, > > # but allow local clients with non-standard SMTP implementations > > # such as netcat, fax machines, or load balancer health checks. > > # > > smtpd_forbid_bare_newline = yes > > smtpd_forbid_bare_newline_exclusions = $mynetworks > > > The test tool [1] revealed that my 3.7.9 Postfix using > `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case. > One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close > that one as well. > > [1] https://github.com/The-Login/SMTP-Smuggling-Tools.git Postfix with the fix does not treat \r\n.\n as an End-of-DATA. Nor does it treat \r\n.\r as End-of-DATA. When I send message content with \r\n.\r, it arrives as message content with \r at the beginning of a line. It does not terminate DATA and does not enable smuggling. Sent as one SMTP mail transaction: [omitted: ehlo, mail from, rcpt to, data] non-smuggled text ending in\r\n .\r mail from:<>\r\n rcpt to:\r\n data\r\n other text lines ending in\r\n .\r\n Delivered by Postfix as one email messages with SMTP commands in the middle: non-smuggled text \rmail from:<> rcpt to: data [other text] In other words, I need to see proff in the form of a PCAP file and NON-VERBOSE logging, or it did not happen. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
smuggling for the `\r\n.\n` case. Sorry, that was a bad copypaste, I meant '\r\n.\r'. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
The test tool [1] revealed that my 3.7.9 Postfix using `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case. One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close that one as well. After a small adaptation to the tool to use BDAT one can see what Wietse described in [2], so one also still needs to disable chunking. [2] https://www.mail-archive.com/postfix-users@postfix.org/msg100990.html ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
