From: Wietse Venema Date: Tue, 16 Jan 2024 05:00:00 +0000 (-0500) Subject: postfix-3.9-20240116 X-Git-Tag: v3.9.0~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bceb4a7a775530e83e8e7be6281e5ee08b14957b;p=thirdparty%2Fpostfix.git postfix-3.9-20240116 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 68837521b..cb4186ec1 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27716,9 +27716,7 @@ Apologies for any names omitted. newline handling has evolved. Files: global/smtp_stream.[hc], Files: global/smtp_stream.[hc], smtpd/smtpd.c. -20240113 +20240116 - Cleanup: updated the user interface. The smtpd_forbid_bare_newline - settings are now "require_std_end_of_data", "reject", and - "no", with "yes" as an alias for "require_std_end_of_data". - Files: smtpd/smtpd.c proto/postconf.proto. + Reverted some changes after postfix-3.9-20240112, and updated + documentation. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index a01f8b108..6beddc855 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -45,18 +45,18 @@ stray or characters. This feature applies to all email that Postfix locally or remotely sends out. It is not allowlisted based on client identity. -Major changes with snapshot 20240113 +Major changes with snapshot 20240116 ==================================== -This updates Postfix fixes for SMTP smuggling attacks, For background, -see https://www.postfix.org/smtp-smuggling.html +This updates Postfix fixes for inbound SMTP smuggling attacks. For +background, see https://www.postfix.org/smtp-smuggling.html This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24. - Improved logging for rejected input (it now includes queue ID, helo, mail, and rcpt, if available). -- The new default "smtpd_forbid_bare_newline = require_std_end_of_data" +- The new default "smtpd_forbid_bare_newline = normalize" requires the standard End-of-DATA sequence ., and allows bare newlines from SMTP clients, maintaining more compatibility with infrastructure tools such as probers and surveys. @@ -67,7 +67,7 @@ This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24. message that contains a bare newline. To disconnect the client, specify "smtpd_forbid_bare_newline_reject_code = 521". -- The old setting "yes" has become an alias for "require_std_end_of_data". +- The old setting "yes" has become an alias for "normalize". - The old setting "no" has not changed, and allows SMTP smuggling. @@ -82,10 +82,10 @@ The recommended Postfix 3.9 settings (i.e. the defaults) are now: # This maintains compatibility with many legitimate SMTP client # applications that send a mix of standard and non-standard line # endings, but will fail to receive email from client implementations - # that do not send . Such clients need to be + # that do not send .. Such clients need to be # excluded with smtpd_forbid_bare_newline_exclusions. # - smtpd_forbid_bare_newline = require_std_end_of_data + smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks Alternative settings: @@ -96,7 +96,7 @@ Alternative settings: # # Exclude local SMTP clients from enforcement. # - # This will very likely cause problems for SMTP clients that send + # This will fail to receive email from SMTP clients that send any # non-standard line endings such as web applications, netcat, or # load balancer health checks. Such clients need to be excluded with # smtpd_forbid_bare_newline_exclusions. diff --git a/postfix/WISHLIST b/postfix/WISHLIST index df5598fca..60e94df1d 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -6,9 +6,6 @@ Wish list: Disable -DSNAPSHOT and -DNONPROD in makedefs. - Maybe add a pre-release check that stable releases cannot - have -DSNAPSHOT and -DNONPROD. - postfix-install should mention makedefs.out. Remove .printfck directories, and remove printfck targets diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index aef39eca1..ae0c01a35 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -15956,7 +15956,7 @@ This feature is available in Postfix 2.0 and later.
smtpd_forbid_bare_newline -(default: Postfix ≥ 3.9: require_std_end_of_data)
+(default: Postfix ≥ 3.9: normalize)

Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. Such line @@ -15969,36 +15969,36 @@ SMTP smuggling.

-
require_std_end_of_data (default)
Require the -standard End-of-DATA sequence <CR><LF>.<CR><LF>. -Otherwise, allow input lines ending in the non-standard <LF>, -and process those as if the client sent inputs with the standard -<CR><LF>.
This maintains compatibility with many -legitimate SMTP client applications that send a mix of standard and -non-standard line endings, but will fail to receive email from -client implementations that do not send +
normalize (default)
Require the standard +End-of-DATA sequence <CR><LF>.<CR><LF>. +Otherwise, allow command or message content lines ending in the +non-standard <LF>, and process them as if the client sent the +standard <CR><LF>.

This maintains compatibility +with many legitimate SMTP client applications that send a mix of +standard and non-standard line endings, but will fail to receive +email from client implementations that do not send <CR><LF>.<CR><LF>. Such clients need to be -excluded with smtpd_forbid_bare_newline_exclusions.
- -
yes
Compatibility alias for -require_std_end_of_data.
- -
reject
Reject a command or message content -when a line ends in <LF>, log a "bare <LF> received" -error, and reject the command or message content with -$smtpd_forbid_bare_newline_reject_code. Require that input -lines end in <CR><LF>, and require the standard End-of-DATA -sequence <CR><LF>.<CR><LF>.
This will -very likely cause problems for SMTP clients that send non-standard +excluded with smtpd_forbid_bare_newline_exclusions.
+ +
yes
Compatibility alias for normalize.
+ +
reject
Require the standard End-of-DATA +sequence <CR><LF>.<CR><LF>. Reject a command +or message content when a line ends in <LF>, log a "bare +<LF> received" error, and reply with the SMTP status code in +$smtpd_forbid_bare_newline_reject_code.

This will fail +to receive email from SMTP clients that may send any non-standard line endings such as web applications, netcat, or load balancer health checks. Such clients need to be excluded with -smtpd_forbid_bare_newline_exclusions.
- -
no
Treat a bare <LF> as if the client -sent <CR><LF>. This option is fully backwards compatible, -but is not recommended for an Internet-facing SMTP server, because -it is vulnerable to -SMTP smuggling.
+smtpd_forbid_bare_newline_exclusions.
+ +
no
Do not require the standard End-of-DATA +sequence <CR><LF>.<CR><LF>. Always process +a bare <LF> as if the client sent <CR><LF>. This +option is fully backwards compatible, but is not recommended for +an Internet-facing SMTP server, because it is vulnerable to SMTP smuggling. +
@@ -16018,7 +16018,7 @@ SMTP smuggling. # that do not send <CR><LF>.<CR><LF>. Such clients need to be # excluded with smtpd_forbid_bare_newline_exclusions. # -smtpd_forbid_bare_newline = require_std_end_of_data +smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks @@ -16031,7 +16031,7 @@ SMTP smuggling. # # Exclude local SMTP clients from enforcement. # -# This will very likely cause problems for SMTP clients that send +# This will fail to receive email from SMTP clients that send any # non-standard line endings such as web applications, netcat, or # load balancer health checks. Such clients need to be excluded with # smtpd_forbid_bare_newline_exclusions. @@ -16043,9 +16043,8 @@ SMTP smuggling.

This feature with settings yes and no is available in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the -settings reject, and require_std_end_of_data are -available with Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. -

+settings reject, and normalize are available with +Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24.

@@ -16054,8 +16053,8 @@ available with Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. (default: $mynetworks)

Exclude the specified clients from smtpd_forbid_bare_newline -enforcement. It uses the same syntax and parent-domain matching -behavior as mynetworks.

+enforcement. This setting uses the same syntax and parent-domain +matching behavior as mynetworks.

This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, 3.6.13, and 3.5.23.

@@ -16067,8 +16066,8 @@ behavior as mynetworks.

(default: 550)

-The numerical Postfix SMTP server response code when a request -is rejected by the smtpd_forbid_bare_newline feature. +The numerical Postfix SMTP server response code when rejecting a +request with "smtpd_forbid_bare_newline = reject". Specify a 5XX status code (521 to disconnect).

diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 7ae79aff4..85a8aeebf 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -997,7 +997,7 @@ SMTPD(8) SMTPD(8) Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later: - smtpd_forbid_bare_newline (Postfix >= 3.9: require_std_end_of_data) + smtpd_forbid_bare_newline (Postfix >= 3.9: normalize) Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. @@ -1008,8 +1008,8 @@ SMTPD(8) SMTPD(8) Available in Postfix 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and later: smtpd_forbid_bare_newline_reject_code (550) - The numerical Postfix SMTP server response code when a request - is rejected by the smtpd_forbid_bare_newline feature. + The numerical Postfix SMTP server response code when rejecting a + request with "smtpd_forbid_bare_newline = reject". TARPIT CONTROLS When a remote SMTP client makes errors, the Postfix SMTP server can diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 0c2bbf24d..3d3f670a6 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -11029,7 +11029,7 @@ The smtpd_expansion_filter value is not subject to Postfix configuration parameter $name expansion. .PP This feature is available in Postfix 2.0 and later. -.SH smtpd_forbid_bare_newline (default: Postfix >= 3.9: require_std_end_of_data) +.SH smtpd_forbid_bare_newline (default: Postfix >= 3.9: normalize) Reject or restrict input lines from an SMTP client that end in instead of the standard . Such line endings are commonly allowed with UNIX\-based SMTP servers, but they @@ -11038,44 +11038,44 @@ vulnerable to SMTP smuggling. .PP Specify one of the following values (case does not matter): -.IP "\fBrequire_std_end_of_data\fR (default)" -Require the -standard End\-of\-DATA sequence .. -Otherwise, allow input lines ending in the non\-standard , -and process those as if the client sent inputs with the standard -. -.br -This maintains compatibility with many -legitimate SMTP client applications that send a mix of standard and -non\-standard line endings, but will fail to receive email from -client implementations that do not send +.IP "\fBnormalize\fR (default)" +Require the standard +End\-of\-DATA sequence .. +Otherwise, allow command or message content lines ending in the +non\-standard , and process them as if the client sent the +standard . +.br +.br +This maintains compatibility +with many legitimate SMTP client applications that send a mix of +standard and non\-standard line endings, but will fail to receive +email from client implementations that do not send .. Such clients need to be -excluded with \fBsmtpd_forbid_bare_newline_exclusions\fR. +excluded with smtpd_forbid_bare_newline_exclusions. .br .IP "\fByes\fR" -Compatibility alias for -\fBrequire_std_end_of_data\fR. +Compatibility alias for \fBnormalize\fR. .br .IP "\fBreject\fR" -Reject a command or message content -when a line ends in , log a "bare received" -error, and reject the command or message content with -$\fBsmtpd_forbid_bare_newline_reject_code\fR. Require that input -lines end in , and require the standard End\-of\-DATA -sequence .. -.br -This will -very likely cause problems for SMTP clients that send non\-standard +Require the standard End\-of\-DATA +sequence .. Reject a command +or message content when a line ends in , log a "bare + received" error, and reply with the SMTP status code in +$smtpd_forbid_bare_newline_reject_code. +.br +.br +This will fail +to receive email from SMTP clients that may send any non\-standard line endings such as web applications, netcat, or load balancer health checks. Such clients need to be excluded with -\fBsmtpd_forbid_bare_newline_exclusions\fR. +smtpd_forbid_bare_newline_exclusions. .br .IP "\fBno\fR" -Treat a bare as if the client -sent . This option is fully backwards compatible, -but is not recommended for an Internet\-facing SMTP server, because -it is vulnerable to -SMTP smuggling. +Do not require the standard End\-of\-DATA +sequence .. Always process +a bare as if the client sent . This +option is fully backwards compatible, but is not recommended for +an Internet\-facing SMTP server, because it is vulnerable to SMTP smuggling. .br .br .PP @@ -11097,7 +11097,7 @@ Examples: # that do not send .. Such clients need to be # excluded with smtpd_forbid_bare_newline_exclusions. # -smtpd_forbid_bare_newline = require_std_end_of_data +smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks .fi .ad @@ -11114,7 +11114,7 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks # # Exclude local SMTP clients from enforcement. # -# This will very likely cause problems for SMTP clients that send +# This will fail to receive email from SMTP clients that send any # non\-standard line endings such as web applications, netcat, or # load balancer health checks. Such clients need to be excluded with # smtpd_forbid_bare_newline_exclusions. @@ -11128,18 +11128,18 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks .PP This feature with settings \fByes\fR and \fBno\fR is available in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the -settings \fBreject\fR, and \fBrequire_std_end_of_data\fR are -available with Postfix >= 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. +settings \fBreject\fR, and \fBnormalize\fR are available with +Postfix >= 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. .SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks) Exclude the specified clients from smtpd_forbid_bare_newline -enforcement. It uses the same syntax and parent\-domain matching -behavior as mynetworks. +enforcement. This setting uses the same syntax and parent\-domain +matching behavior as mynetworks. .PP This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9, 3.6.13, and 3.5.23. .SH smtpd_forbid_bare_newline_reject_code (default: 550) -The numerical Postfix SMTP server response code when a request -is rejected by the \fBsmtpd_forbid_bare_newline\fR feature. +The numerical Postfix SMTP server response code when rejecting a +request with "smtpd_forbid_bare_newline = reject". Specify a 5XX status code (521 to disconnect). .PP This feature is available in Postfix >= 3.9, 3.8.5, 3.7.10, diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index a4d41939d..4569f1fd6 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -870,7 +870,7 @@ Disconnect remote SMTP clients that violate RFC 2920 (or 5321) command pipelining constraints. .PP Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later: -.IP "\fBsmtpd_forbid_bare_newline (Postfix >= 3.9: require_std_end_of_data)\fR" +.IP "\fBsmtpd_forbid_bare_newline (Postfix >= 3.9: normalize)\fR" Reject or restrict input lines from an SMTP client that end in instead of the standard . .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR" @@ -880,8 +880,8 @@ enforcement. Available in Postfix 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and later: .IP "\fBsmtpd_forbid_bare_newline_reject_code (550)\fR" -The numerical Postfix SMTP server response code when a request -is rejected by the \fBsmtpd_forbid_bare_newline\fR feature. +The numerical Postfix SMTP server response code when rejecting a +request with "smtpd_forbid_bare_newline = reject". .SH "TARPIT CONTROLS" .na .nf diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 7e3cd8cee..275dc318b 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -19055,7 +19055,7 @@ MinProtocol = TLSv1

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20.

-%PARAM smtpd_forbid_bare_newline Postfix ≥ 3.9: require_std_end_of_data +%PARAM smtpd_forbid_bare_newline Postfix ≥ 3.9: normalize

Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. Such line @@ -19068,36 +19068,36 @@ SMTP smuggling.

-
require_std_end_of_data (default)
Require the -standard End-of-DATA sequence <CR><LF>.<CR><LF>. -Otherwise, allow input lines ending in the non-standard <LF>, -and process those as if the client sent inputs with the standard -<CR><LF>.
This maintains compatibility with many -legitimate SMTP client applications that send a mix of standard and -non-standard line endings, but will fail to receive email from -client implementations that do not send +
normalize (default)
Require the standard +End-of-DATA sequence <CR><LF>.<CR><LF>. +Otherwise, allow command or message content lines ending in the +non-standard <LF>, and process them as if the client sent the +standard <CR><LF>.

This maintains compatibility +with many legitimate SMTP client applications that send a mix of +standard and non-standard line endings, but will fail to receive +email from client implementations that do not send <CR><LF>.<CR><LF>. Such clients need to be -excluded with smtpd_forbid_bare_newline_exclusions.
- -
yes
Compatibility alias for -require_std_end_of_data.
- -
reject
Reject a command or message content -when a line ends in <LF>, log a "bare <LF> received" -error, and reject the command or message content with -$smtpd_forbid_bare_newline_reject_code. Require that input -lines end in <CR><LF>, and require the standard End-of-DATA -sequence <CR><LF>.<CR><LF>.
This will -very likely cause problems for SMTP clients that send non-standard +excluded with smtpd_forbid_bare_newline_exclusions.
+ +
yes
Compatibility alias for normalize.
+ +
reject
Require the standard End-of-DATA +sequence <CR><LF>.<CR><LF>. Reject a command +or message content when a line ends in <LF>, log a "bare +<LF> received" error, and reply with the SMTP status code in +$smtpd_forbid_bare_newline_reject_code.

This will fail +to receive email from SMTP clients that may send any non-standard line endings such as web applications, netcat, or load balancer health checks. Such clients need to be excluded with -smtpd_forbid_bare_newline_exclusions.
- -
no
Treat a bare <LF> as if the client -sent <CR><LF>. This option is fully backwards compatible, -but is not recommended for an Internet-facing SMTP server, because -it is vulnerable to -SMTP smuggling.
+smtpd_forbid_bare_newline_exclusions.
+ +
no
Do not require the standard End-of-DATA +sequence <CR><LF>.<CR><LF>. Always process +a bare <LF> as if the client sent <CR><LF>. This +option is fully backwards compatible, but is not recommended for +an Internet-facing SMTP server, because it is vulnerable to SMTP smuggling. +
@@ -19117,7 +19117,7 @@ SMTP smuggling. # that do not send <CR><LF>.<CR><LF>. Such clients need to be # excluded with smtpd_forbid_bare_newline_exclusions. # -smtpd_forbid_bare_newline = require_std_end_of_data +smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks @@ -19130,7 +19130,7 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks # # Exclude local SMTP clients from enforcement. # -# This will very likely cause problems for SMTP clients that send +# This will fail to receive email from SMTP clients that send any # non-standard line endings such as web applications, netcat, or # load balancer health checks. Such clients need to be excluded with # smtpd_forbid_bare_newline_exclusions. @@ -19142,15 +19142,14 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks

This feature with settings yes and no is available in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the -settings reject, and require_std_end_of_data are -available with Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. -

+settings reject, and normalize are available with +Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24.

%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks

Exclude the specified clients from smtpd_forbid_bare_newline -enforcement. It uses the same syntax and parent-domain matching -behavior as mynetworks.

+enforcement. This setting uses the same syntax and parent-domain +matching behavior as mynetworks.

This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, 3.6.13, and 3.5.23.

@@ -19158,8 +19157,8 @@ behavior as mynetworks.

%PARAM smtpd_forbid_bare_newline_reject_code 550

-The numerical Postfix SMTP server response code when a request -is rejected by the smtpd_forbid_bare_newline feature. +The numerical Postfix SMTP server response code when rejecting a +request with "smtpd_forbid_bare_newline = reject". Specify a 5XX status code (521 to disconnect).

diff --git a/postfix/proto/stop.double-proto-html b/postfix/proto/stop.double-proto-html index 78f8eed9d..a161f9a1b 100644 --- a/postfix/proto/stop.double-proto-html +++ b/postfix/proto/stop.double-proto-html @@ -345,3 +345,5 @@ query_filter mailacceptinggeneralid s maildrop maildrop maildrop owner cn root d dt b a name reject_unknown_sender_domain reject_unknown_sender_domain a b dt dt b a name check_address_map check_address_map a i a href DATABASE_README html type table a i b dt PARAM postscreen_dnsbl_max_ttl postscreen_dnsbl_ttl postscreen_dnsbl_ttl 1 h +standard lt CR gt lt LF gt br br This maintains compatibility + smtpd_forbid_bare_newline_reject_code br br This will fail diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 62d6fb5b8..1f03b0b34 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4306,7 +4306,7 @@ extern char *var_smtpd_dns_re_filter; * Backwards compatibility. */ #define VAR_SMTPD_FORBID_BARE_LF "smtpd_forbid_bare_newline" -#define DEF_SMTPD_FORBID_BARE_LF "require_std_end_of_data" +#define DEF_SMTPD_FORBID_BARE_LF "normalize" #define VAR_SMTPD_FORBID_BARE_LF_EXCL "smtpd_forbid_bare_newline_exclusions" #define DEF_SMTPD_FORBID_BARE_LF_EXCL "$" VAR_MYNETWORKS diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 8b6685d77..d46c0f44d 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20240113" +#define MAIL_RELEASE_DATE "20240116" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 3a4ff4dfb..f7aeb8799 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -824,7 +824,7 @@ /* command pipelining constraints. /* .PP /* Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later: -/* .IP "\fBsmtpd_forbid_bare_newline (Postfix >= 3.9: require_std_end_of_data)\fR" +/* .IP "\fBsmtpd_forbid_bare_newline (Postfix >= 3.9: normalize)\fR" /* Reject or restrict input lines from an SMTP client that end in /* instead of the standard . /* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR" @@ -834,8 +834,8 @@ /* Available in Postfix 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and /* later: /* .IP "\fBsmtpd_forbid_bare_newline_reject_code (550)\fR" -/* The numerical Postfix SMTP server response code when a request -/* is rejected by the \fBsmtpd_forbid_bare_newline\fR feature. +/* The numerical Postfix SMTP server response code when rejecting a +/* request with "smtpd_forbid_bare_newline = reject". /* TARPIT CONTROLS /* .ad /* .fi @@ -1677,10 +1677,7 @@ int smtpd_hfrom_format; #define IS_BARE_LF_REPLY_REJECT(m) ((m) & BARE_LF_FLAG_REPLY_REJECT) static const NAME_CODE bare_lf_mask_table[] = { - "require_std_end_of_data", BARE_LF_FLAG_WANT_STD_EOD, /* Default */ -#ifdef SNAPSHOT - "normalize", BARE_LF_FLAG_WANT_STD_EOD, /* Migration aid */ -#endif + "normalize", BARE_LF_FLAG_WANT_STD_EOD, /* Default */ "yes", BARE_LF_FLAG_WANT_STD_EOD, /* Migration aid */ "reject", BARE_LF_FLAG_WANT_STD_EOD | BARE_LF_FLAG_REPLY_REJECT, "no", 0,