lvdd
December 26, 2023, 9:18pm
1
Hi,
this is an FYI as there seems to be something happennig in the SMTP world. Postfix released last minute updates to fix a supposedly serious issue:
https://www.postfix.org/smtp-smuggling.html
Also there is going to be a talk at 37c3 about this tomorrow:
https://events.ccc.de/congress/2023/hub/en/event/smtp_smuggling_spoofing_e-mails_worldwide/
BTW: I just realized that the postfix version delivered in Ubuntu is somewhat behind. Ubuntu is running 3.6.4 while postfix has released a fix in 3.6.13.
regards
lvdd
themew
December 27, 2023, 2:11am
2
I believe the latest version 67 fixes this vulnerability, unless there’s more for us to do…
CHANGELOG
=========
Version 67 (December 22, 2023)
------------------------------
* Guard against a newly published vulnerability called SMTP Smuggling. See https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/.
Version 66 (December 17, 2023)
------------------------------
* Some users reported an error installing Mail-in-a-Box related to the virtualenv command. This is hopefully fixed.
* Roundcube is updated to 1.6.5 fixing a security vulnerability.
* For Mail-in-a-Box developers, a new setup variable is added to pull the source code from a different repository.
Version 65 (October 27, 2023)
-----------------------------
* Roundcube updated to 1.6.4 fixing a security vulnerability.
* zpush.sh updated to version 2.7.1.
This file has been truncated. show original
gezza
December 27, 2023, 5:45pm
3
Hi
I went to the postfix.org site and the info in there does not seem to be in the new main.cf so I added it manually, its pretty straight forward.
Cheers
eXTric
December 27, 2023, 11:07pm
4
Are you referring to additional parameters besides the one which is in the commit? My main.cf has below
smtpd_data_restrictions=reject_unauth_pipelining
committed 01:54PM - 22 Dec 23 UTC
This short-term workaround is recommended at https://www.postfix.org/smtp-smuggl… ing.html:
smtpd_data_restrictions=reject_unauth_pipelining
The Postfix page now seems to have an additional configuration item:
smtpd_discard_ehlo_keywords = chunking
gezza
December 28, 2023, 8:44am
6
Hi
Yes.
When I checked “SMTP Smuggling ” the Long-term fix is:
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
and I assume that’s what needed to be applied.
If you can shed some more light on the subject I’d appreciate it, thanks.
The long term fix is only available for the newest versions of postfix. Ubuntu 22.04 on which Miab is based has version 3.6.4, which means for now only a short term solution can be applied. If we look at the section “With all Postfix versions:”
main.cf:
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking
MiaB 67 was released with only the first line. We also need to add the second line.
Perhaps the long term solution will be backported to ubuntu 22.04 lts, I have no information on that.
I wonder if this is a very serious security issue, the Ubuntu cve tracker is still empty…
1 Like
gezza
December 28, 2023, 9:25am
8
Nice one thanks, makes more sense.
vele
December 29, 2023, 9:52am
9
The second line to be added is:
smtpd_discard_ehlo_keywords = chunking
system
Closed
February 7, 2024, 9:52am
10
This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.