Hello Carsten, thanks alot for your response!
I reloaded the config: postconf -f | grep pipelining smtpd_discard_ehlo_keywords = pipelining smtpd_forbid_unauth_pipelining = yes And do not get Pipelining listed anymore: 220 dev1.example.dev ESMTP Postfix 250-dev1.example.dev 250-SIZE 52428800 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> 250 2.0.0 Ok: queued as E9CEA7DA6B 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> 250 2.0.0 Ok: queued as EAB9D8514C But as visible, it's still possible to use: 'MESSAGE 1\n.\n' as EOD. Thanks in advance for any feedback. Best regards Till Wigger ________________________________ Von: Carsten Rosenberg via Postfix-users <postfix-users@postfix.org> Gesendet: Donnerstag, 21. Dezember 2023 11:04 An: postfix-users@postfix.org <postfix-users@postfix.org> Betreff: [pfx] Re: SMTP Smuggling still possible after disabling pipelining Hey, it seems you're still offering > 250-PIPELINING Both options work as exspected on my side (Postfix 3.7.6). best regards Carsten On 21.12.23 10:29, Till W. via Postfix-users wrote: > Dear team, > we enabled smtpd_forbid_unauth_pipelining in our Postfix, but > unfortunately it still accepts \n.\n (<LF>.<LF>) as EOD. This is our > configuration in main.cf: > > |smtpd_forbid_unauth_pipelining = yes smtpd_discard_ehlo_keywords = > pipelining| > > Here is an example of two emails being pipelined with <LF>.<LF>: > > |( printf 'ehlo example.com' printf '\r\n' printf 'mail FROM: > us...@example.com\r\n' printf 'rcpt TO: us...@receiver.com\r\n' printf > 'data\r\n' printf 'From: header1@sender\r\n' printf 'To: > header1@receiver\r\n' printf 'Subject: SUBJECT #1\r\n' printf '\r\n' > printf 'MESSAGE 1\n.\n' printf 'mail FROM: admin@sender\r\n' printf > 'rcpt to: targ...@receiver.com\r\n' printf 'DATA\r\n' printf 'From: > header2@sender\r\n' printf 'To: targ...@receiver.com\r\n' printf > 'Subject: SUBJECT #2\r\n' printf 'MESSAGE2\r\n.\r\n' ) | netcat > server.example| > > Postfix output: > > |220 dev1.example.dev ESMTP Postfix 250-dev1.example.dev 250-PIPELINING > 250-SIZE 52428800 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES > 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING 250 2.1.0 Ok 250 2.1.5 Ok > 354 End data with <CR><LF>.<CR><LF> 250 2.0.0 Ok: queued as 7E8857D1B7 > 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> 250 2.0.0 > Ok: queued as 8017A818F4| > > We are running: mail_version = 3.8.3 > > > Do you have other recommendations on what actions could be taken? > > > Thanks and regards > > Till Wigger > > > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
