Hi
Yest this is e-mails body from test - only when sender domain have SPF
set ~all or SPF not exist
W dniu 8.01.2024 o 15:08, Damian via Postfix-users pisze:
SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence!
Are those really standalone emails with
I'm running on Ubuntu 22 which ships postfix 3.6.4 .
I've tried the short term solution, but this test tool still can send forged
emails:
$ postconf -n | grep -E "smtpd_data_restrictions|smtpd_discard_ehlo_keywords"
smtpd_data_restrictions = reject_unauth_pipelining
W dniu 8.01.2024 o 13:35, Damian via Postfix-users pisze:
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain
gmail.com piot...@mydomain.ltd
Don't use a sender-domain you don't have control over.
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain
gmail.com piot...@mydomain.ltd
Don't use a sender-domain you don't have control over. The default
should be good enough for basic smuggling
Hi
Sorry for stupid question but I dont realy undarstand
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain gmail.com
piot...@mydomain.ltd
[*] Getting MX record for domain: xx
[*] Running
On Sat, Jan 06, 2024 at 20:10:34 -0500, Wietse Venema via Postfix-users wrote:
> People are welcome to test tools against postfix-3.9-20240106.
With postfix-3.9-20240106 (with smtpd_forbid_bare_newline=yes but
smtpd_forbid_unauth_pipelining=no) all smuggling tests now fail,
including CRCRL
People are welcome to test tools against postfix-3.9-20240106.
I could test against a 3.7.9 codebase if you posted a patch for it.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
People are welcome to test tools against postfix-3.9-20240106.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
On Sat, Jan 06, 2024 at 14:47:59 -0500, Wietse Venema via Postfix-users wrote:
> Damian:
> > If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
>
> Viktor Dukhovni:
> > Does that also need to be more strict? :-(
>
> Indeed, and as usual the fix is trivial. This process is backwards,
Damian:
> If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
Viktor Dukhovni:
> Does that also need to be more strict? :-(
Indeed, and as usual the fix is trivial. This process is backwards,
it is what we get with publication before the analysis, tooling,
and software fixes are
On 6 Jan 2024, at 12:04 pm, Damian via Postfix-users
wrote:
>
> If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
>
> I will assemble a pcap and some logs when I'm back home.
That's expected, Postfix will accept one *or more* CRs before LF as CRLF.
If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
I will assemble a pcap and some logs when I'm back home.
> In other words, I need to see proff in the form of a PCAP file and
> NON-VERBOSE logging, or it did not happen.
___
Postfix-users
BTW All smuggling tests are invalid when the client is allowlisted
with smtpd_forbid_bare_newline_exclusions (default: $mynetworks).
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
Wietse Venema via Postfix-users:
> Damian via Postfix-users:
> > > The recommended settings are:
> > >
> > >
Damian via Postfix-users:
> > The recommended settings are:
> >
> >
> >
smuggling for the `\r\n.\n` case.
Sorry, that was a bad copypaste, I meant '\r\n.\r'.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
The test tool [1] revealed that my 3.7.9 Postfix using `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case.
One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close that one as well.
After a small adaptation to the tool to use BDAT one can see what
18 matches
Mail list logo
