postfix - update the smuggling details for 3.8.5.

The previous 'yes' is now aliased to 'normalize' which will be the default in postfix-3.9, so prefer that. It now only rejects if the bare newlines are in the DATA section of the mail, to provide better compatibility with existing SMTP clients. If a site needs to reject mails with bare newlines in the message body, the value can be changed to 'reject'. See https://www.openwall.com/lists/oss-security/2024/01/22/1
2025-02-03 23:07:23 +08:00 · 2024-02-07 14:39:29 +00:00 · 2024-02-07 14:39:29 +00:00 · 9f3382f62c
commit 9f3382f62c
parent fe1f174292
1 changed files with 4 additions and 3 deletions
--- a/server/mail/postfix.xml
+++ b/server/mail/postfix.xml
@ -411,11 +411,12 @@ echo 'alias_maps = lmdb:/etc/aliases'     &gt;&gt; /etc/postfix/main.cf</userinp
        To protect your server against the recent SMTP smuggling attacks,
        additional steps are required. Add two lines into
        <filename>/etc/postfix/main.cf</filename> to disconnect remote SMTP
-        clients that send bare newlines, while also allowing clients on your
-        network with non-standard SMTP implementations to still send mail:
+        clients that send bare newlines in the DATA section, while also
+        allowing clients on your network with non-standard SMTP implementations
+        to still send mail:
      </para>

-<screen role="root"><userinput>echo 'smtpd_forbid_bare_newline = yes' &gt;&gt; /etc/postfix/main.cf &amp;&amp;
+<screen role="root"><userinput>echo 'smtpd_forbid_bare_newline = normalize' &gt;&gt; /etc/postfix/main.cf &amp;&amp;
 echo 'smtpd_forbid_bare_newline_exclusions = $mynetworks' &gt;&gt; /etc/postfix/main.cf</userinput></screen>

      <para>