On Tue, Aug 03, 2021 at 02:11:12PM -0400, Wietse Venema wrote:
> John Levine:
> > It appears that Wietse Venema <postfix-users@postfix.org> said:
> > >Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks.
> > >
> > >https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/
> >
> > Just wondering, did you add the anti-http stuff because of ALPACA or was it
> > already there?
>
> Postfix 2.2 added both the GET etc. configurable forbidden word
> list and header detection (changelog says 20041124).
The initial detection of message headers in a command-context dates back
to 2002-02-18:
https://github.com/vdukhovni/postfix/blob/fddaffebfbc7668f28a17ab3f12a6bcb84ed296f/postfix/HISTORY#L6066-L6070
https://github.com/vdukhovni/postfix/blob/fddaffebfbc7668f28a17ab3f12a6bcb84ed296f/postfix/HISTORY#L6066-L6070
when it was just:
"Received:", 0, SMTPD_CMD_FLAG_HEADER,
"Subject:", 0, SMTPD_CMD_FLAG_HEADER,
"From:", 0, SMTPD_CMD_FLAG_HEADER,
- In postfix-1.1.7-20020501, the header list was expanded to include
"Reply-To:" and "Message-ID:".
- In postfix-2.0.13-20030702, the list was further expanded to include
"CONNECT" and "User-Agent:".
- Finally, in postfix-2.2-20041207, the code was updated to detect
anything that looked like a header or a configurable list of commands
(default: CONNECT GET POST).
--
Viktor.
