A tcpdump between smtp and smtpd shows a TCP handshake but no payload at
all.
That looks like the remote SMTP server wants to use TLS wrappermode,
but your Postfix SMTP client wants to use STARTTLS.
Ok, that was really dumb. Not seeing a banner should have given me a
clue that I broke the remo
I am currently doing some tests with Postfix 3.10 and postfix-tlspol
(using QUERYwithTLSRPT).
I see positive feedback for DANE as well as MTA-STS on the tlsrpt
socket. However, I was not able to produce negative feedback yet. In
case of "non DNSSEC destination", nothing is written to the tlsrp
You may have noticed that BDAT and BINARYMIME are distinct features.
Yes, but I have argued that RFC2045 compliance of mail data is a property of said data, not of the transport, so that BDAT,
BINARYMIME and even SMTP don't actually matter. RFC2045 has references to RFC821 because it was design
Your last two statements are exactly the crux of the matter, and I don't see
them justified, yet.
And yet they are justified. Wishful thinking does not change that. š
Absent BINARYMIME the body time of a BDAT message is 8BITMIME, which is
still line-oriented.
If they are justified, then not by R
Postfix supports 8bit Data, with lines of 998 between CRLF, as
defined inhttps://datatracker.ietf.org/doc/html/rfc2045#section-2.8
Therefore, Postfix announces 8BITMIME in EHLO.
Postfix does not support Binary Data, as defined in
https://datatracker.ietf.org/doc/html/rfc2045#section-2.9 Binary
Th
I would like some opinions on how certain RFCs are to be interpreted.
My core question is: Is it possible to send mail RFC-conformly into a
Postfix, such that there are more than 1000 consecutive Non-CRLFs?
I think everybody agrees that this is not possible with DATA. The
BDAT_README seems to
OpenSSL supports or does not support curves, Postfix just uses OpenSSL,
but the *default* list of curves passed to OpenSSL:
tls_eecdh_auto_curves = X25519 X448 prime256v1 secp384r1 secp521r1
tls_ffdhe_auto_groups = ffdhe2048 ffdhe3072
is deliberately pruned to just the mainstream optio
Does Postfix support Brainpool curves?
The Forward Secrecy Readme mentions X25519 and X448 explicitly, P-256
implicitly, while Brainpool curves don't come up anywhere.
I still tried with Postfix 3.9.1 and OpenSSL 3.4.0 but failed to
establish a TLS connection between `openssl s_client` and Po
SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence!
Are those really standalone emails with subj
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain
gmail.com piot...@mydomain.ltd
Don't use a sender-domain you don't have control over. The default
should be good enough for basic smuggling tests
People are welcome to test tools against postfix-3.9-20240106.
I could test against a 3.7.9 codebase if you posted a patch for it.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.o
If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
I will assemble a pcap and some logs when I'm back home.
> In other words, I need to see proff in the form of a PCAP file and
> NON-VERBOSE logging, or it did not happen.
___
Postfix-users
smuggling for the `\r\n.\n` case.
Sorry, that was a bad copypaste, I meant '\r\n.\r'.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
The test tool [1] revealed that my 3.7.9 Postfix using `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case.
One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close that one as well.
After a small adaptation to the tool to use BDAT one can see what Wiet
The recommended settings are:
#
It really does not matter much, but leaving BDAT enabled can help in
some cases. It is not necessary to go this deep down the rabbit hole.
So what could be smuggled into a Postfix that defines "reject_unauth_pipelining" but does not define "smtpd_discard_ehlo_keywords
= chunking"?
__
SHORT-TERM WORKAROUNDS
A short-term workaround can be deployed now, before the upcoming long
holiday and associated production change freeze.
NOTE: This will stop only the published form of the attack. Other forms
exist that will not be stopped in this manner.
* With all Postfix versions, "s
So as per your previous post, setting a policy such as this one would
do the trick?
...
This would be necessary to keep DMARC AR headers after they passed the
content_filter Amavis. It is not necessary for OpenDMARC to do its work.
It was not clear what "skipping OpenDMARC" means exactly, but
This question has stirred up a lot of answers but if Iām understanding
correctly, it looks like I cannot use opendmarc with amavisd in
postfix as a pre-queue filter for dkim. The only viable option is
opendkim with opendmarc as pre-queue milters like I was originally doing.
Conceptually you ca
currect, but amavisd support rspamd with have dmarc
what?
Amavis has support for rspamd as a spam_scanner, i.e. for scoring, not
for DMARC policy enforcement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
in what way ?
amavisd-milter was already part of Dino's smtpd_milters. It is like you would
have said:
> http://www.postfix.org/. Just use that, it replaces the /etc you ha
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
By āgetting skippedā I mean I have no logs of opendmarc doing anything.
Do you have logs of opendmarc doing anything if you remove Amavis from
smtpd_milters?
I donāt understand how I would disable dkim in my content_filter
policy. Dkim verification is either enabled or disabled in Amavis
un
I tried this config but sadly it doesnāt work, OpenDMARC
(127.0.0.1:54321) gets skipped completely
If "getting skipped" means that you don't see Authentication-Results for
DMARC, I have a feeling that you didn't disable DKIM verification on
your content_filter Interface Policy. Amavis will rem
24 matches
Mail list logo
