[pfx] Re: SMTP Smuggling with long-term fix
People are welcome to test tools against postfix-3.9-20240106. I could test against a 3.7.9 codebase if you posted a patch for it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
On Sat, Jan 06, 2024 at 20:10:34 -0500, Wietse Venema via Postfix-users wrote: > People are welcome to test tools against postfix-3.9-20240106. With postfix-3.9-20240106 (with smtpd_forbid_bare_newline=yes but smtpd_forbid_unauth_pipelining=no) all smuggling tests now fail, including CRCRL tests. https://github.com/The-Login/SMTP-Smuggling-Tools Geert ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] DISPUTED: SMTP Smuggling with long-term fix
Damian via Postfix-users: > If I remember correctly, on the wire there was \r\n\r\n.\r\r\n That is not a viable spoofing attack pattern. To understand why, recall that an authenticated attacker sends an email message to email service A, that contains a non-standard End-of-DATA in the middle followed by attempted spoofed SMTP commands and message content shown as indented text. mail from: rcpt to: data message content non-standard End-of-DATA mail from: rcpt to: data<<== or BDAT if available message content real End-of-DATA The attacker's goal is that email service A delivers the message to someone at email service B. That service confuses the non-standard End-of-DATA with a real End-of-DATA, and delivers a message from to . When the attack is successful, the attacker can impersonate any sender in any email domain that is hosted at email service A, and still pass SPF-based the sender domain's DMARC policy at email service B. Coming back to the attack pattern ., or more generally, .whatever. Note that this has '.' at the start of a line. Mail service A, as required by RFC 5321, prepends a '.' to each line that starts with '.'. What it sends to email service B is (attempted spoofed commands and message shown indented): mail from: rcpt to: data message content ..whatever <<== note the '..' here mail from: rcpt to: data<<== or BDAT if available message content real End-of-DATA When email service B receives the ..whatever, there is no confusion whether this is End-of-DATA. No message is delivered from to , instead someone received one email message with SMTP commands in the middle. In summary, this attack does not work. I'll update the stable releases to pacify test tools, but that is a lower piority. Meanwhile I'd request that tool developers avoid vulnerability claims based on patterns that are not viable for spoofing attacks. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Smuggling?
First I am really amazed at the amount of support, that's not true everywhere. I also like the tone of the posts, very respectful. I have 3.7.9 and all the settings. Outlook protection is slamming me, 6 to 10 worthless emails every day. glad they don't make condoms. I have sent everyone with source back to ab...@outlook.com. They always automatically thank me. I can't block outlook, so I gave up and block all onmicrosoft emails. I'll see how that goes. --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Smuggling?
Same here, but I found some interesting facts about outlook spam, they have 4 common marks that can be used to catch them with Spamassassin. The following rules block all outlook spam, but will also block some legitimate emails that use "undisclosed recipients". Not a big deal for me and my networks, but be aware of this limitation. To use, simply copy paste the rules under /etc/mail/spamassassin/outlook.cf (which is the correct location for Enterprise Linix distros like Alma, Rocky and Oracle). Here are the rules: header __SPAM_DOMAIN_OUTLOO1 Received =~ /outbound\.protection\.outlook\.com/i header __SPAM_DOMAIN_OUTLOO2 From =~ /\@(?:outlook|hotmail)\.com\b/i header __SPAM_DOMAIN_OUTLOO3 To =~ /undisclosed/i header __SPAM_DOMAIN_OUTLOO4 To =~ /recipients/i header __SPAM_DOMAIN_OUTLOO5 exists:To metaSPAM_DOMAIN_OUTLOO6 (__SPAM_DOMAIN_OUTLOO1 && (__SPAM_DOMAIN_OUTLOO3 || __SPAM_DOMAIN_OUTLOO4)) score SPAM_DOMAIN_OUTLOO6 15.0 describeSPAM_DOMAIN_OUTLOO6 Outlook spam with undisclosed recipients (outloo) metaSPAM_DOMAIN_OUTLOO7 (__SPAM_DOMAIN_OUTLOO2 && MISSING_HEADERS) score SPAM_DOMAIN_OUTLOO7 15.0 describeSPAM_DOMAIN_OUTLOO7 Outlook spam with missing headers (outloo) metaSPAM_DOMAIN_OUTLOO8 (__SPAM_DOMAIN_OUTLOO1 && __SPAM_DOMAIN_OUTLOO2 && __TO_EQ_FROM_DOM) score SPAM_DOMAIN_OUTLOO8 15.0 describeSPAM_DOMAIN_OUTLOO8 Outlook spam, same From/To (outloo) metaSPAM_DOMAIN_OUTLOO9 (__SPAM_DOMAIN_OUTLOO1 && MISSING_HEADERS && !__SPAM_DOMAIN_OUTLOO5) score SPAM_DOMAIN_OUTLOO9 15.0 describeSPAM_DOMAIN_OUTLOO9 Outlook spam with missing headers, missing To (outloo) On Sun, 7 Jan 2024 10:17:56 -0500 John Hill via Postfix-users wrote: > First I am really amazed at the amount of support, that's not true > everywhere. I also like the tone of the posts, very respectful. > > I have 3.7.9 and all the settings. > > Outlook protection is slamming me, 6 to 10 worthless emails every day. > glad they don't make condoms. > > I have sent everyone with source back to ab...@outlook.com. They always > automatically thank me. > > I can't block outlook, so I gave up and block all onmicrosoft emails. > > I'll see how that goes. > > --john > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Smuggling?
Thx. Will do! --john On 1/7/24 12:57 PM, mailmary--- via Postfix-users wrote: Same here, but I found some interesting facts about outlook spam, they have 4 common marks that can be used to catch them with Spamassassin. The following rules block all outlook spam, but will also block some legitimate emails that use "undisclosed recipients". Not a big deal for me and my networks, but be aware of this limitation. To use, simply copy paste the rules under /etc/mail/spamassassin/outlook.cf (which is the correct location for Enterprise Linix distros like Alma, Rocky and Oracle). Here are the rules: header __SPAM_DOMAIN_OUTLOO1 Received =~ /outbound\.protection\.outlook\.com/i header __SPAM_DOMAIN_OUTLOO2 From =~ /\@(?:outlook|hotmail)\.com\b/i header __SPAM_DOMAIN_OUTLOO3 To =~ /undisclosed/i header __SPAM_DOMAIN_OUTLOO4 To =~ /recipients/i header __SPAM_DOMAIN_OUTLOO5 exists:To metaSPAM_DOMAIN_OUTLOO6 (__SPAM_DOMAIN_OUTLOO1 && (__SPAM_DOMAIN_OUTLOO3 || __SPAM_DOMAIN_OUTLOO4)) score SPAM_DOMAIN_OUTLOO6 15.0 describeSPAM_DOMAIN_OUTLOO6 Outlook spam with undisclosed recipients (outloo) metaSPAM_DOMAIN_OUTLOO7 (__SPAM_DOMAIN_OUTLOO2 && MISSING_HEADERS) score SPAM_DOMAIN_OUTLOO7 15.0 describeSPAM_DOMAIN_OUTLOO7 Outlook spam with missing headers (outloo) metaSPAM_DOMAIN_OUTLOO8 (__SPAM_DOMAIN_OUTLOO1 && __SPAM_DOMAIN_OUTLOO2 && __TO_EQ_FROM_DOM) score SPAM_DOMAIN_OUTLOO8 15.0 describeSPAM_DOMAIN_OUTLOO8 Outlook spam, same From/To (outloo) metaSPAM_DOMAIN_OUTLOO9 (__SPAM_DOMAIN_OUTLOO1 && MISSING_HEADERS && !__SPAM_DOMAIN_OUTLOO5) score SPAM_DOMAIN_OUTLOO9 15.0 describeSPAM_DOMAIN_OUTLOO9 Outlook spam with missing headers, missing To (outloo) On Sun, 7 Jan 2024 10:17:56 -0500 John Hill via Postfix-users wrote: First I am really amazed at the amount of support, that's not true everywhere. I also like the tone of the posts, very respectful. I have 3.7.9 and all the settings. Outlook protection is slamming me, 6 to 10 worthless emails every day. glad they don't make condoms. I have sent everyone with source back to ab...@outlook.com. They always automatically thank me. I can't block outlook, so I gave up and block all onmicrosoft emails. I'll see how that goes. --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Smuggling?
On 07.01.24 10:17, John Hill via Postfix-users wrote: First I am really amazed at the amount of support, that's not true everywhere. I also like the tone of the posts, very respectful. I have 3.7.9 and all the settings. Outlook protection is slamming me, 6 to 10 worthless emails every day. glad they don't make condoms. I have sent everyone with source back to ab...@outlook.com. They always automatically thank me. I can't block outlook, so I gave up and block all onmicrosoft emails. I'll see how that goes. Is the domain still the same? Last time I got spam from such domain, I have blocked the .onmicrosoft.com domain at MTA level. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Smuggling?
I added onmicrosoft.com to my sender access file, I've dumped 10 so far. On 1/7/24 1:41 PM, Matus UHLAR - fantomas via Postfix-users wrote: On 07.01.24 10:17, John Hill via Postfix-users wrote: First I am really amazed at the amount of support, that's not true everywhere. I also like the tone of the posts, very respectful. I have 3.7.9 and all the settings. Outlook protection is slamming me, 6 to 10 worthless emails every day. glad they don't make condoms. I have sent everyone with source back to ab...@outlook.com. They always automatically thank me. I can't block outlook, so I gave up and block all onmicrosoft emails. I'll see how that goes. Is the domain still the same? Last time I got spam from such domain, I have blocked the .onmicrosoft.com domain at MTA level. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] recipient_bcc_maps clarification.
Hello, We have in main.cf always_bcc = zz...@xx.com and our domain is xx.com For specific 2 recipients of our domain, we don't want always_bcc to be implemented. ie. if a mail is addressed to a...@xx.com (our domain only), mail should not be Bcc to zz...@xx.com. similarly if mail recipient is d...@xx.com (our domain only), mail should not be Bcc to zz...@xx.com. For all others always_bcc to continue. So, in summary, main.cf always_bcc = zz...@xx.com recipient_bcc_maps=regexp:/etc/postfix/regexp_recipient_bcc #regexp_recipient_bcc #/etc/postfix/regexp_recipient_bcc a...@xx.coma...@xx.com d...@xx.comd...@xx.com Whether the above configuration will enable to get desired results? ie. always_bcc should not work for a...@xx.com and d...@xx.com and instead the mails are delivered to a...@xx.com and d...@xx.com only. -- Anant S Athavale -- Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Website: https://www.ursc.gov.in -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
