Reverted some changes after postfix-3.9-20240112, and updated
documentation.
+
+20240118
+
+ Documentation: Microsoft uses BDAT to send content with
+ bare LF. This violates the canonical MIME format for text
+ messages as required in RFC 3030 section 3, and as defined
+ in RFC 2045 sections 2.7 and 2.8. Files: proto/postconf.proto,
+ RELEASE_NOTES.
+
+ Baseline for back porting the SMTP smuggling fixes to Postfix
+ 3.8.5, 3.7.10, 3.6.14, and 3.5.24.
This feature applies to all email that Postfix locally or remotely
sends out. It is not allowlisted based on client identity.
-Major changes with snapshot 20240116
+Major changes with snapshot 20240118
====================================
This updates Postfix fixes for inbound SMTP smuggling attacks. For
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
#
- # Exclude local SMTP clients from enforcement.
- #
# This maintains compatibility with many legitimate SMTP client
# applications that send a mix of standard and non-standard line
# endings, but will fail to receive email from client implementations
- # that do not send <CR><LF>.<CR><LF>. Such clients need to be
- # excluded with smtpd_forbid_bare_newline_exclusions.
+ # that do not terminate DATA content with the standard End-of-DATA
+ # sequence <CR><LF>.<CR><LF>.
+ #
+ # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+ # The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
Alternative settings:
- # Reject input lines that end in <LF>, require that input lines
- # end in <CR><LF>, and require the standard End-of-DATA sequence
- # <CR><LF>.<CR><LF>.
+ # Reject input lines that contain <LF> and log a "bare <LF> received"
+ # error. Require that input lines end in <CR><LF>, and require the
+ # standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+ #
+ # This will reject email from SMTP clients that send any non-standard
+ # line endings such as web applications, netcat, or load balancer
+ # health checks.
#
- # Exclude local SMTP clients from enforcement.
+ # This will also reject some email from Microsoft services whose
+ # BDAT implementations violate the canonical MIME format for text
+ # messages required in RFC 3030 Section 3, and defined in RFC 2045
+ # Sections 2.7 and 2.8.
#
- # This will fail to receive email from SMTP clients that send any
- # non-standard line endings such as web applications, netcat, or
- # load balancer health checks. Such clients need to be excluded with
- # smtpd_forbid_bare_newline_exclusions.
+ # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+ # The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = reject
smtpd_forbid_bare_newline_exclusions = $mynetworks
+ #
+ # Alternatively, in the case of BDAT violations, BDAT can be selectively
+ # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+ # disabled with smtpd_discard_ehlo_keywords.
+ #
+ # smtpd_discard_ehlo_keyword_address_maps =
+ # cidr:{{10.0.0.1/24 chunking, silent-discard}}
+ # smtpd_discard_ehlo_keywords = chunking, silent-discard
Major changes with snapshot 20240106
====================================
-Inbound SMTP smuggling: strip extra <CR> in <CR><LF>.<CR><CR><LF>,
-to silence some tools that send attack sequences that are not viable.
+Inbound SMTP smuggling: don't strip extra <CR> in <CR><LF>.<CR><CR><LF>,
+to silence test tools that send attack sequences that are not viable.
Details at https://www.postfix.org/false-smuggling-claims.html
Incompatible changes with snapshot 20231221
standard <CR><LF>. <br> <br> This maintains compatibility
with many legitimate SMTP client applications that send a mix of
standard and non-standard line endings, but will fail to receive
-email from client implementations that do not send
-<CR><LF>.<CR><LF>. Such clients need to be
-excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
+email from client implementations that do not terminate DATA content
+with the standard End-of-DATA sequence
+<CR><LF>.<CR><LF>. <br> <br> Such clients
+can be excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
<dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
<dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
sequence <CR><LF>.<CR><LF>. Reject a command
-or message content when a line ends in <LF>, log a "bare
+or message content when a line contains bare <LF>, log a "bare
<LF> received" error, and reply with the SMTP status code in
-$<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>. <br> <br> This will fail
-to receive email from SMTP clients that may send any non-standard
-line endings such as web applications, netcat, or load balancer
-health checks. Such clients need to be excluded with
-<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
+$<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>. <br> <br> This will reject
+email from SMTP clients that send any non-standard line endings
+such as web applications, netcat, or load balancer health checks.
+<br> <br> This will also reject some email from Microsoft services
+whose BDAT implementations violate the canonical MIME format for
+text messages required in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3, and defined in <a href="https://tools.ietf.org/html/rfc2045">RFC</a>
+<a href="https://tools.ietf.org/html/rfc2045">2045</a> Sections 2.7 and 2.8. <br> <br> Such clients can be excluded
+with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> (or, in the case of BDAT
+violations, BDAT can be selectively disabled with
+<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with
+<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd>
<dt> <b>no</b> </dt> <dd> Do not require the standard End-of-DATA
sequence <CR><LF>.<CR><LF>. Always process
</dl>
-<p> Examples: </p>
+<p> Example 1: </p>
<blockquote>
<pre>
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
#
-# Exclude local SMTP clients from enforcement.
-#
# This maintains compatibility with many legitimate SMTP client
# applications that send a mix of standard and non-standard line
# endings, but will fail to receive email from client implementations
-# that do not send <CR><LF>.<CR><LF>. Such clients need to be
-# excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# that do not terminate DATA content with the standard End-of-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# The example below allowlists SMTP clients in trusted networks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = normalize
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
+<p> Example 2: </p>
+
<blockquote>
<pre>
-# Reject input lines that end in <LF>, require that input lines
-# end in <CR><LF>, and require the standard End-of-DATA sequence
-# <CR><LF>.<CR><LF>.
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End-of-DATA sequence <CR><LF>.<CR><LF>.
#
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
#
-# This will fail to receive email from SMTP clients that send any
-# non-standard line endings such as web applications, netcat, or
-# load balancer health checks. Such clients need to be excluded with
-# <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# This will also reject some email from Microsoft services whose
+# BDAT implementations violate the canonical MIME format for text
+# messages required in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3, and defined in <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# The example below allowlists SMTP clients in trusted networks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally
+# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>.
+#
+# <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> =
+# <a href="cidr_table.5.html">cidr</a>:{{10.0.0.1/24 chunking, silent-discard}}
+# <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent-discard
</pre>
</blockquote>
This maintains compatibility
with many legitimate SMTP client applications that send a mix of
standard and non\-standard line endings, but will fail to receive
-email from client implementations that do not send
-<CR><LF>.<CR><LF>. Such clients need to be
-excluded with smtpd_forbid_bare_newline_exclusions.
+email from client implementations that do not terminate DATA content
+with the standard End\-of\-DATA sequence
+<CR><LF>.<CR><LF>.
+.br
+.br
+Such clients
+can be excluded with smtpd_forbid_bare_newline_exclusions.
.br
.IP "\fByes\fR"
Compatibility alias for \fBnormalize\fR.
.IP "\fBreject\fR"
Require the standard End\-of\-DATA
sequence <CR><LF>.<CR><LF>. Reject a command
-or message content when a line ends in <LF>, log a "bare
+or message content when a line contains bare <LF>, log a "bare
<LF> received" error, and reply with the SMTP status code in
$smtpd_forbid_bare_newline_reject_code.
.br
.br
-This will fail
-to receive email from SMTP clients that may send any non\-standard
-line endings such as web applications, netcat, or load balancer
-health checks. Such clients need to be excluded with
-smtpd_forbid_bare_newline_exclusions.
+This will reject
+email from SMTP clients that send any non\-standard line endings
+such as web applications, netcat, or load balancer health checks.
+.br
+.br
+This will also reject some email from Microsoft services
+whose BDAT implementations violate the canonical MIME format for
+text messages required in RFC 3030 Section 3, and defined in RFC
+2045 Sections 2.7 and 2.8.
+.br
+.br
+Such clients can be excluded
+with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT
+violations, BDAT can be selectively disabled with
+smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
+smtpd_discard_ehlo_keywords).
.br
.IP "\fBno\fR"
Do not require the standard End\-of\-DATA
.br
.br
.PP
-Examples:
+Example 1:
.sp
.in +4
.nf
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
#
-# Exclude local SMTP clients from enforcement.
-#
# This maintains compatibility with many legitimate SMTP client
# applications that send a mix of standard and non\-standard line
# endings, but will fail to receive email from client implementations
-# that do not send <CR><LF>.<CR><LF>. Such clients need to be
-# excluded with smtpd_forbid_bare_newline_exclusions.
+# that do not terminate DATA content with the standard End\-of\-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
.ad
.ft R
.in -4
+.PP
+Example 2:
.sp
.in +4
.nf
.na
.ft C
-# Reject input lines that end in <LF>, require that input lines
-# end in <CR><LF>, and require the standard End\-of\-DATA sequence
-# <CR><LF>.<CR><LF>.
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End\-of\-DATA sequence <CR><LF>.<CR><LF>.
#
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non\-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
#
-# This will fail to receive email from SMTP clients that send any
-# non\-standard line endings such as web applications, netcat, or
-# load balancer health checks. Such clients need to be excluded with
-# smtpd_forbid_bare_newline_exclusions.
+# This will also reject some email from Microsoft services whose
+# BDAT implementations violate the canonical MIME format for text
+# messages required in RFC 3030 Section 3, and defined in RFC 2045
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = reject
smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps =
+# cidr:{{10.0.0.1/24 chunking, silent\-discard}}
+# smtpd_discard_ehlo_keywords = chunking, silent\-discard
.fi
.ad
.ft R
standard <CR><LF>. <br> <br> This maintains compatibility
with many legitimate SMTP client applications that send a mix of
standard and non-standard line endings, but will fail to receive
-email from client implementations that do not send
-<CR><LF>.<CR><LF>. Such clients need to be
-excluded with smtpd_forbid_bare_newline_exclusions. </dd>
+email from client implementations that do not terminate DATA content
+with the standard End-of-DATA sequence
+<CR><LF>.<CR><LF>. <br> <br> Such clients
+can be excluded with smtpd_forbid_bare_newline_exclusions. </dd>
<dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
<dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
sequence <CR><LF>.<CR><LF>. Reject a command
-or message content when a line ends in <LF>, log a "bare
+or message content when a line contains bare <LF>, log a "bare
<LF> received" error, and reply with the SMTP status code in
-$smtpd_forbid_bare_newline_reject_code. <br> <br> This will fail
-to receive email from SMTP clients that may send any non-standard
-line endings such as web applications, netcat, or load balancer
-health checks. Such clients need to be excluded with
-smtpd_forbid_bare_newline_exclusions. </dd>
+$smtpd_forbid_bare_newline_reject_code. <br> <br> This will reject
+email from SMTP clients that send any non-standard line endings
+such as web applications, netcat, or load balancer health checks.
+<br> <br> This will also reject some email from Microsoft services
+whose BDAT implementations violate the canonical MIME format for
+text messages required in RFC 3030 Section 3, and defined in RFC
+2045 Sections 2.7 and 2.8. <br> <br> Such clients can be excluded
+with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT
+violations, BDAT can be selectively disabled with
+smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
+smtpd_discard_ehlo_keywords). </dd>
<dt> <b>no</b> </dt> <dd> Do not require the standard End-of-DATA
sequence <CR><LF>.<CR><LF>. Always process
</dl>
-<p> Examples: </p>
+<p> Example 1: </p>
<blockquote>
<pre>
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
#
-# Exclude local SMTP clients from enforcement.
-#
# This maintains compatibility with many legitimate SMTP client
# applications that send a mix of standard and non-standard line
# endings, but will fail to receive email from client implementations
-# that do not send <CR><LF>.<CR><LF>. Such clients need to be
-# excluded with smtpd_forbid_bare_newline_exclusions.
+# that do not terminate DATA content with the standard End-of-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
+<p> Example 2: </p>
+
<blockquote>
<pre>
-# Reject input lines that end in <LF>, require that input lines
-# end in <CR><LF>, and require the standard End-of-DATA sequence
-# <CR><LF>.<CR><LF>.
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End-of-DATA sequence <CR><LF>.<CR><LF>.
#
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
#
-# This will fail to receive email from SMTP clients that send any
-# non-standard line endings such as web applications, netcat, or
-# load balancer health checks. Such clients need to be excluded with
-# smtpd_forbid_bare_newline_exclusions.
+# This will also reject some email from Microsoft services whose
+# BDAT implementations violate the canonical MIME format for text
+# messages required in RFC 3030 Section 3, and defined in RFC 2045
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = reject
smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps =
+# cidr:{{10.0.0.1/24 chunking, silent-discard}}
+# smtpd_discard_ehlo_keywords = chunking, silent-discard
</pre>
</blockquote>
probers
lf
EOD
+chunking
+allowlists
virtual virtual alias domain anything right hand content does not matter
skipping unexpected LF LF in DATA from
Inbound SMTP smuggling strip extra CR in CR LF CR CR LF
+Inbound SMTP smuggling don t strip extra CR in CR LF CR CR LF
dt b a name check_address_map check_address_map a i a href DATABASE_README html type table a i b dt
PARAM postscreen_dnsbl_max_ttl postscreen_dnsbl_ttl postscreen_dnsbl_ttl 1 h
standard lt CR gt lt LF gt br br This maintains compatibility
- smtpd_forbid_bare_newline_reject_code br br This will fail
+ lt CR gt lt LF gt lt CR gt lt LF gt br br Such clients
+ smtpd_forbid_bare_newline_reject_code br br This will reject
+ br br This will also reject some email from Microsoft services
+2045 Sections 2 7 and 2 8 br br Such clients can be excluded
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20240116"
+#define MAIL_RELEASE_DATE "20240118"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT
projects / thirdparty / postfix.git / commitdiff
