On Mon, Dec 18, 2023 at 17:40:49 -0500, Wietse Venema via Postfix-users wrote:
> Viktor Dukhovni via Postfix-users:
> > - Postfix 3.9 (pending official release soon), rejects unuthorised
> > pipelining by default: "smtpd_forbid_unauth_pipelining = yes".
> >
> > - Postfix 3.8.1, 3.7.6, 3.6.10 and
Wietse Venema via Postfix-users:
> Viktor Dukhovni via Postfix-users:
> [. in BDAT payload]
> > > If my suspicion is correct, a dwnstream server may receive the
> > > normal and suggled content as two separate messages.
> >
> > I don't see why. It shouldn't matter how Microsoft's MTA ends up
> >
Viktor Dukhovni via Postfix-users:
[. in BDAT payload]
> > If my suspicion is correct, a dwnstream server may receive the
> > normal and suggled content as two separate messages.
>
> I don't see why. It shouldn't matter how Microsoft's MTA ends up
> with a message containing "." or (.), so long a
On Tue, Dec 19, 2023 at 10:42:14AM -0500, Wietse Venema via Postfix-users wrote:
> First, there is one mistake in my last quoted paragraph above. In
> the smuggled commands, an attacker can avoid an SMTP command
> pipelining violation, by using use BDAT instead of DATA.
> Below I'm indenting the s
Wietse Venema via Postfix-users:
> Rejecting stray and while receiving mail will prevent
> Postfix from receiving "smuggled" SMTP commands after a malformed
> end-of-data sequence, and thus, it will prevent Postfix from
> forwarding them.
>
> So would rejecting an SMTP command pipelining protoco
On Tue, Dec 19, 2023 at 12:20:57AM +0100, r.barclay--- via Postfix-users wrote:
> > For now, enforcement of pipelining is actually available, while
> > enforcement of vs. is still only a hypothetical.
>
> As an average user without any special or legacy systems, I'd
> appreciate if one could con
Wietse:
> - Don't accept mail with a broken end-of-data sequence (Postfix
> currently allows zero or more followed by ). Or more
> generally, don't accept or that aren't part of a
> sequence. Postfix does not support BDAT with BINARYMIME, so there
> is no valid use of stray or bytes.
Vijay S
> For now, enforcement of pipelining is actually available, while
> enforcement of vs. is still only a hypothetical.
As an average user without any special or legacy systems, I'd appreciate if one
could configure Postfix as safe and secure as possible regarding this issue. So
I'd value being o
On Mon, Dec 18, 2023 at 05:40:49PM -0500, Wietse Venema wrote:
> > - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
> > code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining"
> > parameter defaults to "no".
>
> Indeed, setting "smtpd_forbid_unauth_pipelining = ye
Viktor Dukhovni via Postfix-users:
> - Postfix 3.9 (pending official release soon), rejects unuthorised
> pipelining by default: "smtpd_forbid_unauth_pipelining = yes".
>
> - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
> code as 3.9 snapshots, but the "smtpd_forbid_unau
. We all
live in the ecosystem anyway.
Thanks
Vijay Sarvepalli
From: Wietse Venema via Postfix-users
Date: Monday, December 18, 2023 at 4:15 PM
To: Postfix users
Subject: [pfx] Re: Postfix authenticated sender and From: header verification
Warning: External Sender - do not click links or op
Bill Cole via Postfix-users:
> On 2023-12-18 at 11:31:47 UTC-0500 (Mon, 18 Dec 2023 16:31:47 +)
> Vijay S Sarvepalli via Postfix-users
> is rumored to have said:
>
> > Hello Viktor, Wietse,
> > (I am copying the Postfix community as the report is out in the public
> > now)
> >
> > First of a
On Mon, Dec 18, 2023 at 02:48:43PM -0500, Bill Cole via Postfix-users wrote:
> > This research work has now been published by Sec Consult company, see
> > link below .
>
> It is interesting that they seem to be unaware of some SMTP basics, such as
> the fact that message bodies, message headers,
On 2023-12-18 at 11:31:47 UTC-0500 (Mon, 18 Dec 2023 16:31:47 +)
Vijay S Sarvepalli via Postfix-users
is rumored to have said:
Hello Viktor, Wietse,
(I am copying the Postfix community as the report is out in the public
now)
First of all thank you for your help and response to highlight
Subject: Re: [pfx] Re: Postfix authenticated sender and From: header
verification
On Wed, Nov 29, 2023 at 01:02:04PM -0500, Wietse Venema wrote:
> Vijay S Sarvepalli:
> > Hello Wietse,
>
>
> Adding Viktor as co-maintainer and also security geek.
Thanks. :-) Some comments.
- RFC53
Wietse Venema via Postfix-users:
> Vijay S Sarvepalli via Postfix-users:
> > Hello Postfix community,
> >
> > This may be a feature request. As far as I can tell it is currently
> > not possible to verify if an authenticated user has sent email
> > that uses a From: header (After DATA command) tha
On 2023-11-27 at 17:55:32 UTC-0500 (Mon, 27 Nov 2023 22:55:32 +)
Vijay S Sarvepalli via Postfix-users
is rumored to have said:
Hello Postfix community,
This may be a feature request. As far as I can tell it is currently
not possible to verify if an authenticated user has sent email that
Vijay S Sarvepalli via Postfix-users:
[ Charset windows-1252 converted... ]
> Hello Postfix community,
>
> This may be a feature request. As far as I can tell it is currently
> not possible to verify if an authenticated user has sent email
> that uses a From: header (After DATA command) that does
18 matches
Mail list logo
