SHORT-TERM WORKAROUNDS A short-term workaround can be deployed now, before the upcoming long holiday and associated production change freeze.NOTE: This will stop only the published form of the attack. Other forms exist that will not be stopped in this manner. * With all Postfix versions, "smtpd_data_restrictions = reject_unauth_pipelining" will stop the published exploit.
There are seemingly contradicting statements in various articles if BDAT should be enabled or disabled. https://www.postfix.org/smtp-smuggling.html:
The idea is ... to reject BDAT commands.
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/:
we're looking for an inbound SMTP server that interprets <LF>.<CR><LF> as an end-of-data sequence and doesn't support BDAT
https://www.csoonline.com/article/1269779/smtp-smuggling-enables-email-spoofing-while-passing-security-checks.html:
To be vulnerable to spoofing via Exchange Online messages, an incoming SMTP server needs to meet two conditions instead of one: Not support BDAT and interpret <LF>.<CR><LF> as an end-of-data sequence.
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-292569-1032.pdf:
Der Angriff ist mit ... sowie der Nutzung des BDAT-Kommandos, ..., mitigierbar.
which roughly translates to:
The attack can be mitigated by using BDAT.
Can someone clarify? _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
