search

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
8.9k stars 1.17k forks source link

Postfix SMTP Smuggling #5613

Closed chriscroome closed 10 months ago

chriscroome commented 10 months ago

Summary

Update the Postfix configuration with the suggested short-term workarounds.

Motivation

Security and spoofing.

Additional context

A short-term workaround can be deployed now, before the upcoming long holiday and associated production change freeze.

NOTE: This will stop only the published form of the attack. Other forms exist that will not be stopped in this manner.

  • With all Postfix versions, "smtpd_data_restrictions = reject_unauth_pipelining" will stop the published exploit.
  • Postfix 3.9 (stable release expected early 2024), rejects unauthorised pipelining by default: "smtpd_forbid_unauth_pipelining = yes".
  • Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature, but the "smtpd_forbid_unauth_pipelining" parameter defaults to "no".

This will block misuse of SMTP command pipelining, when one network packet contains multiple lines with smuggled SMTP commands and message content. It will not block message pipelining (multiple MAIL transactions per session), nor will it block a malformed end of line. Malformed line endings are addressed with the long-term solution.

Compatibility: the setting "smtpd_forbid_unauth_pipelining = yes" or "smtpd_data_restrictions = reject_unauth_pipelining" may break legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare, especially when email is sent across the Internet.

mkuron commented 10 months ago

smtpd_data_restrictions is probably not worth it as it does not stop all forms of this attack. However, a new stable version of Postfix was just released with a proper fix:

A long-term fix is now available for Postfix 3.8.4, 3.7.9, 3.6.13 and 3.5.23. This stops all forms of the smuggling attacks on recipients at a Postfix server. It introduces a new optional feature that is disabled by default.

With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server disconnects a remote SMTP client that sends a line ending in a 'bare newline'. The default setting is "no".

I believe we are using Postfix from Debian Bullseye, so it might be another day before the updated package is available: https://security-tracker.debian.org/tracker/source-package/postfix

mkuron commented 10 months ago

Debian Bullseye still hasn't received an updated Postfix package. Neither has Bookworm, for that matter, so rebuilding the image with a newer Debian version won't help either. We'll have to continue waiting. Comments on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059230 suggest that the update should be coming today.

chriscroome commented 10 months ago

There is a Postfix update now available for Debian Bullseye version 3.5.23-0+deb11u1.

MAGICCC commented 10 months ago

Should be fixed in https://github.com/mailcow/mailcow-dockerized/pull/5623