Hello Viktor, Wietse, (I am copying the Postfix community as the report is out in the public now)
First of all thank you for your help and response to highlight your approach to this issue. This may not be the first time you have observed types of abuse that relate to spoofing. This research work has now been published by Sec Consult company, see link below . The Postfix issues the researcher mentions, we were not able to actually reproduce so we did not make a public statement as CERT/CC. In our testing, we used the default Postfix Submission server with reject_authenticated_sender_login_mismatch<https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch> and later added milterfrom to prevent Header From: and SMTP MAIL FROM: mismatch. As far as we can tell any way to sneak past the reject_authenticated_sender_login_mismatch<https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch> using the methods mentioned in the article did not succeed. It is possible specific Postfix configuration that the researcher found used by these major providers fails to validate these addresses for other reasons, as we do not know their configuration we cannot really comment. https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ Anyway, if you find it necessary we can help and write up some best practices to prevent the claimed abuse, specifically for Postfix. As this “vulnerability” falls between a specific product setup, CERT/CC has a little bit more trouble in trying to find a proper closure to a Coordinate Vulnerability Disclosure (CVD) process. Thanks Vijay From: Viktor Dukhovni <vik...@dukhovni.org> Date: Wednesday, November 29, 2023 at 1:40 PM To: Wietse Venema <wie...@porcupine.org> Cc: Vijay S Sarvepalli <vssarvepa...@cert.org> Subject: Re: [pfx] Re: Postfix authenticated sender and From: header verification On Wed, Nov 29, 2023 at 01:02:04PM -0500, Wietse Venema wrote: > Vijay S Sarvepalli: > > Hello Wietse, > > > Adding Viktor as co-maintainer and also security geek. Thanks. :-) Some comments. - RFC5322 and Postfix support "Resent-" headers, for messages that thare re-injected (larely as-is) into the mail stream by a recipient. A "Resent" message will have someone else's "From" address, and the original (most recent) recipient's "Resent-From" address. - As Wietse notes, enforcing address alignment: * Does nothing for display name alignment. it also: * Does not deal with potentially misleading "Group Name: ;" syntax. * Does not deal with fancy and misleading body content that distracts the recipient's away from all that geeky header information. And I consider efforts to partly raise the difficultly of using misleading "From:" headers, without fully solving the problem, as potentially counter-productive. I'd rather see MUAs do a better job of signalling that the From header is just alleged information, and should not be taken at face value. Maybe-From-But-Perhaps-Not: From-Possibly: Do-you-feel-lucky-from: ... :-) -- Viktor.
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
