> -----Original Message----- > From: Wietse Venema via Postfix-announce <postfix-annou...@postfix.org> > Sent: 21. december 2023 13:52 > To: Postfix announce <postfix-annou...@postfix.org> > Cc: Postfix users <postfix-users@postfix.org> > Subject: [pfx-ann] SMTP Smuggling, workarounds and fix > > SHORT-TERM WORKAROUNDS > > A short-term workaround can be deployed now, before the upcoming long > holiday and associated production change freeze. > > NOTE: This will stop only the published form of the attack. Other forms exist > that will not be stopped in this manner. > > * With all Postfix versions, "smtpd_data_restrictions = > reject_unauth_pipelining" will stop the published exploit. > > * Postfix 3.9 (stable release expected early 2024), rejects unauthorised > pipelining by default: "smtpd_forbid_unauth_pipelining = yes". > > * Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature, > but the "smtpd_forbid_unauth_pipelining" parameter defaults to "no". > > Compatibility: the setting "smtpd_forbid_unauth_pipelining = yes" or > "smtpd_data_restrictions = reject_unauth_pipelining" may break legitimate > SMTP clients that mis-implement SMTP, but such clients are exceedingly rare, > especially when email is sent across the Internet.
I'm reading that either " smtpd_data_restrictions = reject_unauth_pipelining" or "smtpd_forbid_unauth_pipelining = yes" should *work* for shor-term workaround, right? I've had data-restrictions for years, just today added forbid_unauth for good meassure. Looking through logs I see: Dec 10 22:50:47 mail.vlh.dk postfix/smtpd warning: hostname apzg-0720d-069.stretchoid.com does not resolve to address 107.170.224.38 Dec 10 22:50:47 mail.vlh.dk postfix/smtpd connect from unknown[107.170.224.38] Dec 10 22:50:47 mail.vlh.dk postfix/smtpd improper command pipelining after CONNECT from unknown[107.170.224.38]: EHLO apzg-0720d-069\r\n Dec 10 22:50:56 mail.vlh.dk postfix/smtpd lost connection after EHLO from unknown[107.170.224.38] Dec 10 22:50:56 mail.vlh.dk postfix/smtpd disconnect from unknown[107.170.224.38] ehlo=1 commands=1 Dec 11 07:05:16 mail.vlh.dk postfix/smtpd connect from scan-09.shadowserver.org[74.82.47.2] Dec 11 07:05:17 mail.vlh.dk postfix/smtpd improper command pipelining after CONNECT from scan-09.shadowserver.org[74.82.47.2]: GET / HTTP/1.1\r\nHost: 212.237.179.56:25\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple Dec 11 07:05:17 mail.vlh.dk postfix/smtpd warning: non-SMTP command from scan-09.shadowserver.org[74.82.47.2]: GET / HTTP/1.1 Dec 11 07:05:17 mail.vlh.dk postfix/smtpd disconnect from scan-09.shadowserver.org[74.82.47.2] unknown=0/1 commands=0/1 Dec 21 11:14:31 mail.vlh.dk postfix/smtpd connect from 189.210.203.35.bc.googleusercontent.com[35.203.210.189] Dec 21 11:14:31 mail.vlh.dk postfix/smtpd improper command pipelining after CONNECT from 189.210.203.35.bc.googleusercontent.com[35.203.210.189]: GET / HTTP/1.1\r\nHost: 212.237.179.56:25\r\nUser-Agent: Expanse, a Palo Alto Networks company, searches Dec 21 11:14:31 mail.vlh.dk postfix/smtpd disconnect from 189.210.203.35.bc.googleusercontent.com[35.203.210.189] commands=0/0 I guess that means it's handled as it should be? -Kim _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
