SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence!
Are those really standalone emails with subj
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain
gmail.com piot...@mydomain.ltd
Don't use a sender-domain you don't have control over. The default
should be good enough for basic smuggling tests
People are welcome to test tools against postfix-3.9-20240106.
I could test against a 3.7.9 codebase if you posted a patch for it.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.o
If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
I will assemble a pcap and some logs when I'm back home.
> In other words, I need to see proff in the form of a PCAP file and
> NON-VERBOSE logging, or it did not happen.
___
Postfix-users
smuggling for the `\r\n.\n` case.
Sorry, that was a bad copypaste, I meant '\r\n.\r'.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
The test tool [1] revealed that my 3.7.9 Postfix using `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case.
One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close that one as well.
After a small adaptation to the tool to use BDAT one can see what Wiet
The recommended settings are:
#
It really does not matter much, but leaving BDAT enabled can help in
some cases. It is not necessary to go this deep down the rabbit hole.
So what could be smuggled into a Postfix that defines "reject_unauth_pipelining" but does not define "smtpd_discard_ehlo_keywords
= chunking"?
__
SHORT-TERM WORKAROUNDS
A short-term workaround can be deployed now, before the upcoming long
holiday and associated production change freeze.
NOTE: This will stop only the published form of the attack. Other forms
exist that will not be stopped in this manner.
* With all Postfix versions, "s
So as per your previous post, setting a policy such as this one would
do the trick?
...
This would be necessary to keep DMARC AR headers after they passed the
content_filter Amavis. It is not necessary for OpenDMARC to do its work.
It was not clear what "skipping OpenDMARC" means exactly, but
This question has stirred up a lot of answers but if I’m understanding
correctly, it looks like I cannot use opendmarc with amavisd in
postfix as a pre-queue filter for dkim. The only viable option is
opendkim with opendmarc as pre-queue milters like I was originally doing.
Conceptually you ca
currect, but amavisd support rspamd with have dmarc
what?
Amavis has support for rspamd as a spam_scanner, i.e. for scoring, not
for DMARC policy enforcement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
in what way ?
amavisd-milter was already part of Dino's smtpd_milters. It is like you would
have said:
> http://www.postfix.org/. Just use that, it replaces the /etc you ha
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
By “getting skipped” I mean I have no logs of opendmarc doing anything.
Do you have logs of opendmarc doing anything if you remove Amavis from
smtpd_milters?
I don’t understand how I would disable dkim in my content_filter
policy. Dkim verification is either enabled or disabled in Amavis
un
I tried this config but sadly it doesn’t work, OpenDMARC
(127.0.0.1:54321) gets skipped completely
If "getting skipped" means that you don't see Authentication-Results for
DMARC, I have a feeling that you didn't disable DKIM verification on
your content_filter Interface Policy. Amavis will rem
16 matches
Mail list logo
