On Fri, Dec 29, 2023 at 10:16:20AM +0100, natan via Postfix-users wrote:
> Hi
> In postfix-3.4.23 (debian) I set
>
> (I use always)
> smtpd_data_restrictions = reject_unauth_pipelining
>
> And today I put
> smtpd_discard_ehlo_keywords = chunking
>
>
> And I get many many logs like:
> ...
> Dec
Hi
In postfix-3.4.23 (debian) I set
(I use always)
smtpd_data_restrictions = reject_unauth_pipelining
And today I put
smtpd_discard_ehlo_keywords = chunking
And I get many many logs like:
...
Dec 29 10:10:13 msmtp postfix/submission/smtpd[11064]: discarding EHLO
keywords: CHUNKING
Dec 29 10:1
Damian via Postfix-users:
> > It really does not matter much, but leaving BDAT enabled can help in
> > some cases. It is not necessary to go this deep down the rabbit hole.
>
> So what could be smuggled into a Postfix that defines
> "reject_unauth_pipelining" but does not define
> "smtpd_discard_
It really does not matter much, but leaving BDAT enabled can help in
some cases. It is not necessary to go this deep down the rabbit hole.
So what could be smuggled into a Postfix that defines "reject_unauth_pipelining" but does not define "smtpd_discard_ehlo_keywords
= chunking"?
__
On Wed, Dec 27, 2023 at 11:40:56PM +0100, Damian via Postfix-users wrote:
> > The attack can be mitigated by using BDAT.
>
> Can someone clarify?
It really does not matter much, but leaving BDAT enabled can help in
some cases. It is not necessary to go this deep down the rabbit hole.
If both t
SHORT-TERM WORKAROUNDS
A short-term workaround can be deployed now, before the upcoming long
holiday and associated production change freeze.
NOTE: This will stop only the published form of the attack. Other forms
exist that will not be stopped in this manner.
* With all Postfix versions, "s
