On Wed, Dec 20, 2023 at 09:12:47PM +0100, John D'Orazio via Postfix-devel wrote:
> I recently encountered on a server of my own a case of SMTP smuggling.
I am very sceptical that this is in fact the case. Which is to say,
very confident it is not.
> I was befuddled by the fact that I received a message which appeared
> to be coming from my own email address, even though from the headers I
> could see that the true actor was sending from an IP address from
> another country. And yet the email passed SPF and DKIM!
You surely misinterpreted the message content. Postfix is never an
intermediary system in "SMTP smuggling", it can only be an end-recipient
of mishanling of non-formant line-endings in some other upstream
submission system.
> I'm now seeing a lot of articles popping up on the web about SMTP
> smuggling, and this seems to be exactly what happened in this case.
Perhaps a suggestive and enticing coincidence, but very unlikely to
actually match your situation.
> However some articles I have read are saying that Postfix is
> vulnerable to these kinds of attacks.
Only as a receiving end-system, and only to the extent that you care to
enforce DKIM and/or SPF alignment with any applicable DMARC policy. The
real issue is in the upstream that transmits non-standard line breaks
downstream.
> Does anyone have any information on how to mitigate these attacks? Is a
> patch to Postfix feasible to protect against this vulnerability? Has a
> patch already been put in place?
On Wed, Dec 20, 2023 at 10:25:28PM +0100, John D'Orazio via Postfix-users wrote:
> I have however started implementing amavis as spam detection, which
> does use -o smtpd_data_restrictions=reject_unauth_pipelining.
That's not Amavis, that's Postfix. Yes, if that's specified for the
port 25 inbound Postfix service, it will in most cases mitigate the
attack. Note however, my assertion above that this is with near
certainty not the source of your observed mystery message.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
