SMTP smuggling vulnerability


this is an FYI as there seems to be something happennig in the SMTP world. Postfix released last minute updates to fix a supposedly serious issue:

Also there is going to be a talk at 37c3 about this tomorrow:

BTW: I just realized that the postfix version delivered in Ubuntu is somewhat behind. Ubuntu is running 3.6.4 while postfix has released a fix in 3.6.13.


I believe the latest version 67 fixes this vulnerability, unless there’s more for us to do…


I went to the site and the info in there does not seem to be in the new so I added it manually, its pretty straight forward.


Are you referring to additional parameters besides the one which is in the commit? My has below


The Postfix page now seems to have an additional configuration item:
smtpd_discard_ehlo_keywords = chunking

When I checked “SMTP Smuggling” the Long-term fix is:
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks

and I assume that’s what needed to be applied.

If you can shed some more light on the subject I’d appreciate it, thanks.

The long term fix is only available for the newest versions of postfix. Ubuntu 22.04 on which Miab is based has version 3.6.4, which means for now only a short term solution can be applied. If we look at the section “With all Postfix versions:”
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking

MiaB 67 was released with only the first line. We also need to add the second line.

Perhaps the long term solution will be backported to ubuntu 22.04 lts, I have no information on that.

I wonder if this is a very serious security issue, the Ubuntu cve tracker is still empty…

1 Like

Nice one thanks, makes more sense.

The second line to be added is:
smtpd_discard_ehlo_keywords = chunking

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.