Update Postfix Configuration to prevent CHUNKING / BDAT vulnerability

[Bassbauer]

Summary

As fixed in Report #5613 postfix has changed the keyword to prevent the CHUNKING BDAT attack from

smtpd_forbid_bare_newline = yes

to:

smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks

the forementioned smtpd_forbid_bare_newline = yes is still working but is now an alias.

Documentation from Wietse: https://www.postfix.org/smtp-smuggling.html

Please adjust if possible.

Thanks

Motivation

update the configuration to match the postfix recommendation / syntax.

Additional context

No response

[DerLinkman]

What do you think? @dragoangel

[dragoangel]

@DerLinkman we have updated to 3.8.5, 3.7.10, 3.6.14 and 3.5.24? The older setting "[smtpd_forbid_bare_newline](https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline) = yes" is now an alias for "[smtpd_forbid_bare_newline](https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline) = normalize".

If we would update it would just start work in new way out of box. We can change this later, main point to have up to date postfix here.

[MAGICCC]

Seems postfix in such versions are not in Debian repos yet. We use bullseye hence latest version is 3.5.23 Even in bookworm it's 3.7.6 or 3.7.9

[chriscroome]

Trixie has 3.8.5, generally unstable / testing is stable enough… :woman_shrugging: And I guess bookworm-updates will soon have the Trixie version.

[dragoangel]

Any clues why we use Debian and not Alpine for Postfix? Debian is slow turtle, sorry...

[DerLinkman]

Hehe good point I've just began porting postfix to alpine within mailcow today as i asked this question myself

[chriscroome]

Any clues why we use Debian and not Alpine for Postfix?

I recall @andryyy had good reasons for this for example here is one, there are probably others, I'd suggest doing a lot of testing before making this switch for production.

[DerLinkman]

That's six years old. Alpine has changed a lot so I wouldn't play that card. However testing is important as it was for Dovecot.

[andryyy]

Changing the base is nothing you do just because you like x better than y. Or whatever reason that’s not backed by a solid point.

It broke Postfix (some weird TLS issue) back then.

Just clicking around a bit is not a valid test, just saying.

Any if it works and has not failed on the past… well. Given the project size I preferred to not play around back then.

Sad cow is sad. Should fork and fix.

[DerLinkman]

Do what you want. We do what we want. If it's good it's good. If not it's not. Just saying

[chriscroome]

Regarding the question asked above by @dragoangel:

we have updated to 3.8.5, 3.7.10, 3.6.14 and 3.5.24?

Debian Bullseye 11.9 was released yesterday and it includes Postfix 3.5.24:

postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764]

Also Debian Bookworm 12.5 was released yesterday and it includes Postfix 3.7.10:

postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764]

[dragoangel]

@chriscroome but time till they got updated quite not quick and non of them include fresh postfix, this is my point. We could same way used rspamd from debian repo in debian image, but we doesn't go that way as it too old, we using pre build deb packages, from this view we don't have such alternative to postfix, so I think it's better just switch base distro if no blockers exist. From raw view I don't see any of them

[SwissOS]

Somewhat related to CHUNKING, could you please change:

smtpd_discard_ehlo_keywords = chunking

to this one:

# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent-discard

I don't want to see "discarding EHLO keywords: CHUNKING" everytime I get a connection in my Postfix log ;)

More details here: https://www.postfix.org/BDAT_README.html

[dragoangel]

Somewhat related to CHUNKING, could you please change:

smtpd_discard_ehlo_keywords = chunking

to this one:

# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent-discard

I don't want to see "discarding EHLO keywords: CHUNKING" everytime I get a connection in my Postfix log ;)

More details here: https://www.postfix.org/BDAT_README.html

As this change can be implemented, why just not create a PR?:)