--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package postfix/3.5.23-0+deb11u1
- From: Scott Kitterman <debian@kitterman.com>
- Date: Sat, 27 Jan 2024 10:38:58 -0500
- Message-id: <170636993864.2185496.15972371160488007538.reportbug@localhost>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
This is the next in our normal postfix maintenance releases. It
consists soley of updates to the SMTP Smuggling processing that were
released near the end of December. I think it would be better to get
this in now for the next point release so that the fixes that most of
our users see are the final form.
[ Impact ]
Users will have the older version of the SMTP Smuggling fixes which mean
they are unable to sanitize outbound mail and then will have to consider
the inbound processing changes later instead of all at once.
[ Tests ]
The package has a reasonably extensive autopkgtest, although it does not
have specific tests for SMTP Smuggling, it does ensure the changes do
not cause regressions. The tests pass when run locally. Additionally,
I have installed the package on one of my servers to verified it is
still working as expected.
[ Risks ]
Risk is negligible. No changes from the upstream release and upstream
is known to be very careful. The risk is primarily on not updating as
there are changes (backward compatible, so there's no issue if someone
already dealt with SMTP Smuggling based on the December release) in how
some of the related controls work. If we don't update, then behavior on
Debian will differ from user expectations. The alternative would be to
hold this until the next point release, which I don't think would be a
good idea.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Security (outbound SMTP smuggling): with the default setting
"cleanup_replace_stray_cr_lf = yes" Postfix will replace
stray <CR> or <LF> characters in message content with a
space character. This prevents Postfix from enabling
outbound (remote) SMTP smuggling, and it also makes evaluation
of Postfix-added DKIM etc. signatures independent from how
a remote mail server handles stray <CR> or <LF> characters.
Files: global/mail_params.h, cleanup/cleanup.c,
cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
- Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
= normalize" (default "no" for Postfix < 3.9), the Postfix
SMTP server requires the standard End-of-DATA sequence
<CR><LF>.<CR><LF>, and otherwise allows command or message
content lines ending in the non-standard <LF>, processing
them as if the client sent the standard <CR><LF>.
The alternative setting, "smtpd_forbid_bare_newline = reject"
will reject any command or message that contains a bare
<LF>, and is more likely to cause problems with legitimate
clients.
For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks".
Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c, smtpd/smtpd_check.[hc].
[ Other info ]
I do not think an SUA is required for this update. The capability
provided by the December SUA is sufficient until the next point release.
Scott K
diff -Nru postfix-3.5.23/debian/changelog postfix-3.5.24/debian/changelog
--- postfix-3.5.23/debian/changelog 2023-12-26 16:07:38.000000000 -0500
+++ postfix-3.5.24/debian/changelog 2024-01-27 10:21:04.000000000 -0500
@@ -1,3 +1,36 @@
+postfix (3.5.24-0+deb11u1) bullseye; urgency=medium
+
+ [Wietse Venema]
+
+ * 3.5.24
+ - Security (outbound SMTP smuggling): with the default setting
+ "cleanup_replace_stray_cr_lf = yes" Postfix will replace
+ stray <CR> or <LF> characters in message content with a
+ space character. This prevents Postfix from enabling
+ outbound (remote) SMTP smuggling, and it also makes evaluation
+ of Postfix-added DKIM etc. signatures independent from how
+ a remote mail server handles stray <CR> or <LF> characters.
+ Files: global/mail_params.h, cleanup/cleanup.c,
+ cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
+ - Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
+ = normalize" (default "no" for Postfix < 3.9), the Postfix
+ SMTP server requires the standard End-of-DATA sequence
+ <CR><LF>.<CR><LF>, and otherwise allows command or message
+ content lines ending in the non-standard <LF>, processing
+ them as if the client sent the standard <CR><LF>.
+ The alternative setting, "smtpd_forbid_bare_newline = reject"
+ will reject any command or message that contains a bare
+ <LF>, and is more likely to cause problems with legitimate
+ clients.
+ For backwards compatibility, local clients are excluded by
+ default with "smtpd_forbid_bare_newline_exclusions =
+ $mynetworks".
+ Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
+ smtpd/smtpd.c, smtpd/smtpd_check.[hc].
+
+ -- Scott Kitterman <scott@kitterman.com> Sat, 27 Jan 2024 10:21:04 -0500
+
postfix (3.5.23-0+deb11u1) bullseye; urgency=medium
[Wietse Venema]
diff -Nru postfix-3.5.23/HISTORY postfix-3.5.24/HISTORY
--- postfix-3.5.23/HISTORY 2023-12-22 13:55:36.000000000 -0500
+++ postfix-3.5.24/HISTORY 2024-01-19 14:16:32.000000000 -0500
@@ -25400,16 +25400,36 @@
a configured recipient delimiter value. Reported by Tod
A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
-20231221
+20240109
- Security: with "smtpd_forbid_bare_newline = yes" (default
- "no" for Postfix < 3.9), reply with "Error: bare <LF>
- received" and disconnect when an SMTP client sends a line
- ending in <LF>, violating the RFC 5321 requirement that
- lines must end in <CR><LF>. This prevents SMTP smuggling
- attacks that target a recipient at a Postfix server. For
- backwards compatibility, local clients are excluded by
+ Security (outbound SMTP smuggling): with the default setting
+ "cleanup_replace_stray_cr_lf = yes" Postfix will replace
+ stray <CR> or <LF> characters in message content with a
+ space character. This prevents Postfix from enabling
+ outbound (remote) SMTP smuggling, and it also makes evaluation
+ of Postfix-added DKIM etc. signatures independent from how
+ a remote mail server handles stray <CR> or <LF> characters.
+ Files: global/mail_params.h, cleanup/cleanup.c,
+ cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
+
+20240112
+
+ Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
+ = normalize" (default "no" for Postfix < 3.9), the Postfix
+ SMTP server requires the standard End-of-DATA sequence
+ <CR><LF>.<CR><LF>, and otherwise allows command or message
+ content lines ending in the non-standard <LF>, processing
+ them as if the client sent the standard <CR><LF>.
+
+ The alternative setting, "smtpd_forbid_bare_newline = reject"
+ will reject any command or message that contains a bare
+ <LF>, and is more likely to cause problems with legitimate
+ clients.
+
+ For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
- $mynetworks". Files: mantools/postlink, proto/postconf.proto,
+ $mynetworks".
+
+ Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
- smtpd/smtpd.c.
+ smtpd/smtpd.c, smtpd/smtpd_check.[hc].
diff -Nru postfix-3.5.23/html/cleanup.8.html postfix-3.5.24/html/cleanup.8.html
--- postfix-3.5.23/html/cleanup.8.html 2019-11-09 19:00:16.000000000 -0500
+++ postfix-3.5.24/html/cleanup.8.html 2024-01-19 14:27:01.000000000 -0500
@@ -146,6 +146,16 @@
The set of characters that Postfix will remove from message con-
tent.
+ Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24, and
+ later:
+
+ <b><a href="postconf.5.html#cleanup_replace_stray_cr_lf">cleanup_replace_stray_cr_lf</a> (yes)</b>
+ Replace each stray <CR> or <LF> character in message content
+ with a space character, to prevent outbound SMTP smuggling, and
+ to make the evaluation of Postfix-added DKIM or other signatures
+ independent from how a remote mail server handles such charac-
+ ters.
+
<b>BEFORE QUEUE MILTER CONTROLS</b>
As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
filter) protocol. When mail is not received via the <a href="smtpd.8.html">smtpd(8)</a> server,
diff -Nru postfix-3.5.23/html/postconf.5.html postfix-3.5.24/html/postconf.5.html
--- postfix-3.5.23/html/postconf.5.html 2023-12-22 13:58:15.000000000 -0500
+++ postfix-3.5.24/html/postconf.5.html 2024-01-21 17:27:31.000000000 -0500
@@ -1444,6 +1444,40 @@
</DD>
+<DT><b><a name="cleanup_replace_stray_cr_lf">cleanup_replace_stray_cr_lf</a>
+(default: yes)</b></DT><DD>
+
+<p> Replace each stray <CR> or <LF> character in message
+content with a space character, to prevent outbound SMTP smuggling,
+and to make the evaluation of Postfix-added DKIM or other signatures
+independent from how a remote mail server handles such characters.
+</p>
+
+<p> SMTP does not allow such characters unless they are part of a
+<CR><LF> sequence, and different mail systems handle
+such stray characters in an implementation-dependent manner. Stray
+<CR> or <LF> characters could be used for outbound
+SMTP smuggling, where an attacker uses a Postfix server to send
+message content with a non-standard End-of-DATA sequence that
+triggers inbound SMTP smuggling at a remote SMTP server.</p>
+
+<p> The replacement happens before all other content management,
+and before Postfix may add a DKIM etc. signature; if the signature
+were created first, the replacement could invalidate the signature.
+</p>
+
+<p> In addition to preventing SMTP smuggling, replacing stray
+<CR> or <LF> characters ensures that the result of
+signature validation by later mail system will not depend on how
+that mail system handles those stray characters in an
+implementation-dependent manner. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10,
+3.6.14, and 3.5.24. </p>
+
+
+</DD>
+
<DT><b><a name="cleanup_service_name">cleanup_service_name</a>
(default: cleanup)</b></DT><DD>
@@ -15052,32 +15086,118 @@
<DT><b><a name="smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
(default: Postfix < 3.9: no)</b></DT><DD>
-<p> Reply with "Error: bare <LF> received" and disconnect
-when a remote SMTP client sends a line ending in <LF>, violating
-the <a href="http://tools.ietf.org/html/rfc5321";>RFC 5321</a> requirement that lines must end in <CR><LF>.
-This feature is disbled by default with Postfix < 3.9. Use
-<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> to exclude non-standard clients
-such as netcat. Specify "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable
-(not recommended for an Internet-connected MTA). </p>
+<p> Reject or restrict input lines from an SMTP client that end in
+<LF> instead of the standard <CR><LF>. Such line
+endings are commonly allowed with UNIX-based SMTP servers, but they
+violate <a href="http://tools.ietf.org/html/rfc5321";>RFC 5321</a>, and allowing such line endings can make a server
+vulnerable to <a href="https://www.postfix.org/smtp-smuggling.html";>
+SMTP smuggling</a>. </p>
-<p> See <a href="https://www.postfix.org/smtp-smuggling.html";>
-https://www.postfix.org/smtp-smuggling.html</a> for details.
+<p> Specify one of the following values (case does not matter): </p>
-<p> Example: </p>
+<dl compact>
+
+<dt> <b>normalize</b></dt> <dd> Require the standard
+End-of-DATA sequence <CR><LF>.<CR><LF>.
+Otherwise, allow command or message content lines ending in the
+non-standard <LF>, and process them as if the client sent the
+standard <CR><LF>. <br> <br> This maintains compatibility
+with many legitimate SMTP client applications that send a mix of
+standard and non-standard line endings, but will fail to receive
+email from client implementations that do not terminate DATA content
+with the standard End-of-DATA sequence
+<CR><LF>.<CR><LF>. <br> <br> Such clients
+can be excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
+
+<dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
+
+<dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
+sequence <CR><LF>.<CR><LF>. Reject a command
+or message content when a line contains bare <LF>, log a "bare
+<LF> received" error, and reply with the SMTP status code in
+$<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>. <br> <br> This will reject
+email from SMTP clients that send any non-standard line endings
+such as web applications, netcat, or load balancer health checks.
+<br> <br> This will also reject email from services that use BDAT
+to send MIME text containing a bare newline (<a href="http://tools.ietf.org/html/rfc3030";>RFC 3030</a> Section 3
+requires canonical MIME format for text message types, defined in
+<a href="http://tools.ietf.org/html/rfc2045";>RFC 2045</a> Sections 2.7 and 2.8). <br> <br> Such clients can be
+excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> (or, in the case
+of BDAT violations, BDAT can be selectively disabled with
+<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with
+<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd>
+
+<dt> <b>no</b> (default)</dt> <dd> Do not require the standard
+End-of-DATA
+sequence <CR><LF>.<CR><LF>. Always process
+a bare <LF> as if the client sent <CR><LF>. This
+option is fully backwards compatible, but is not recommended for
+an Internet-facing SMTP server, because it is vulnerable to <a
+href="https://www.postfix.org/smtp-smuggling.html";> SMTP smuggling</a>.
+</dd>
+
+</dl>
+
+<p> Recommended settings: </p>
<blockquote>
<pre>
-# Disconnect remote SMTP clients that send bare newlines, but allow
-# local clients with non-standard SMTP implementations such as netcat,
-# fax machines, or load balancer health checks.
+# Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+# Otherwise, allow bare <LF> and process it as if the client sent
+# <CR><LF>.
+#
+# This maintains compatibility with many legitimate SMTP client
+# applications that send a mix of standard and non-standard line
+# endings, but will fail to receive email from client implementations
+# that do not terminate DATA content with the standard End-of-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# The example below allowlists SMTP clients in trusted networks.
#
-<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
+<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = normalize
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
-<p> This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9,
-3.6.13, and 3.5.23. </p>
+<p> Alternative: </p>
+
+<blockquote>
+<pre>
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+#
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
+#
+# This will also reject email from services that use BDAT to send
+# MIME text containing a bare newline (<a href="http://tools.ietf.org/html/rfc3030";>RFC 3030</a> Section 3 requires
+# canonical MIME format for text message types, defined in <a href="http://tools.ietf.org/html/rfc2045";>RFC 2045</a>
+# Sections 2.7 and 2.8).
+#
+# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# The example below allowlists SMTP clients in trusted networks.
+#
+<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject
+<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally
+# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>.
+#
+# <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> = <a href="cidr_table.5.html">cidr</a>:/path/to/file
+# /path/to/file:
+# 10.0.0.0/24 chunking, silent-discard
+# <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent-discard
+</pre>
+</blockquote>
+
+<p> This feature with settings <b>yes</b> and <b>no</b> is available
+in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the
+settings <b>reject</b>, and <b>normalize</b> are available with
+Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. </p>
</DD>
@@ -15086,27 +15206,29 @@
(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
<p> Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
-enforcement. It uses the same syntax and parent-domain matching
-behavior as <a href="postconf.5.html#mynetworks">mynetworks</a>. </p>
-
-<p> Example: </p>
-
-<blockquote>
-<pre>
-# Disconnect remote SMTP clients that send bare newlines, but allow
-# local clients with non-standard SMTP implementations such as netcat,
-# fax machines, or load balancer health checks.
-#
-<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
-<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
-</pre>
-</blockquote>
+enforcement. This setting uses the same syntax and parent-domain
+matching behavior as <a href="postconf.5.html#mynetworks">mynetworks</a>. </p>
<p> This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
</DD>
+
+<DT><b><a name="smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>
+(default: 550)</b></DT><DD>
+
+<p>
+The numerical Postfix SMTP server response code when rejecting a
+request with "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject".
+Specify a 5XX status code (521 to disconnect).
+</p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10,
+3.6.14, and 3.5.24. </p>
+
+
+</DD>
<DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>
(default: Postfix ≥ 3.9: yes)</b></DT><DD>
diff -Nru postfix-3.5.23/html/smtpd.8.html postfix-3.5.24/html/smtpd.8.html
--- postfix-3.5.23/html/smtpd.8.html 2023-12-22 13:58:15.000000000 -0500
+++ postfix-3.5.24/html/smtpd.8.html 2024-01-19 14:25:15.000000000 -0500
@@ -917,17 +917,28 @@
Disconnect remote SMTP clients that violate <a href="http://tools.ietf.org/html/rfc2920";>RFC 2920</a> (or 5321)
command pipelining constraints.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> ><b>= 3.9: yes)</b>
+ Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920";>RFC 2920</a> (or 5321)
+ command pipelining constraints.
+
Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
<b><a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> (Postfix</b> < <b>3.9: no)</b>
- Reply with "Error: bare <LF> received" and disconnect when a
- remote SMTP client sends a line ending in <LF>, violating the
- <a href="http://tools.ietf.org/html/rfc5321";>RFC 5321</a> requirement that lines must end in <CR><LF>.
+ Reject or restrict input lines from an SMTP client that end in
+ <LF> instead of the standard <CR><LF>.
<b><a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
enforcement.
+ Available in Postfix 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and later:
+
+ <b><a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a> (550)</b>
+ The numerical Postfix SMTP server response code when rejecting a
+ request with "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject".
+
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away
diff -Nru postfix-3.5.23/man/man5/postconf.5 postfix-3.5.24/man/man5/postconf.5
--- postfix-3.5.23/man/man5/postconf.5 2023-12-22 13:58:15.000000000 -0500
+++ postfix-3.5.24/man/man5/postconf.5 2024-01-21 17:27:32.000000000 -0500
@@ -845,6 +845,32 @@
.fi
.ad
.ft R
+.SH cleanup_replace_stray_cr_lf (default: yes)
+Replace each stray <CR> or <LF> character in message
+content with a space character, to prevent outbound SMTP smuggling,
+and to make the evaluation of Postfix\-added DKIM or other signatures
+independent from how a remote mail server handles such characters.
+.PP
+SMTP does not allow such characters unless they are part of a
+<CR><LF> sequence, and different mail systems handle
+such stray characters in an implementation\-dependent manner. Stray
+<CR> or <LF> characters could be used for outbound
+SMTP smuggling, where an attacker uses a Postfix server to send
+message content with a non\-standard End\-of\-DATA sequence that
+triggers inbound SMTP smuggling at a remote SMTP server.
+.PP
+The replacement happens before all other content management,
+and before Postfix may add a DKIM etc. signature; if the signature
+were created first, the replacement could invalidate the signature.
+.PP
+In addition to preventing SMTP smuggling, replacing stray
+<CR> or <LF> characters ensures that the result of
+signature validation by later mail system will not depend on how
+that mail system handles those stray characters in an
+implementation\-dependent manner.
+.PP
+This feature is available in Postfix >= 3.9, 3.8.5, 3.7.10,
+3.6.14, and 3.5.24.
.SH cleanup_service_name (default: cleanup)
The name of the \fBcleanup\fR(8) service. This service rewrites addresses
into the standard form, and performs \fBcanonical\fR(5) address mapping
@@ -10207,60 +10233,153 @@
.PP
This feature is available in Postfix 2.0 and later.
.SH smtpd_forbid_bare_newline (default: Postfix < 3.9: no)
-Reply with "Error: bare <LF> received" and disconnect
-when a remote SMTP client sends a line ending in <LF>, violating
-the RFC 5321 requirement that lines must end in <CR><LF>.
-This feature is disbled by default with Postfix < 3.9. Use
-smtpd_forbid_bare_newline_exclusions to exclude non\-standard clients
-such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
-(not recommended for an Internet\-connected MTA).
-.PP
-See
-https://www.postfix.org/smtp\-smuggling.html for details.
+Reject or restrict input lines from an SMTP client that end in
+<LF> instead of the standard <CR><LF>. Such line
+endings are commonly allowed with UNIX\-based SMTP servers, but they
+violate RFC 5321, and allowing such line endings can make a server
+vulnerable to
+SMTP smuggling.
+.PP
+Specify one of the following values (case does not matter):
+.IP "\fBnormalize\fR"
+Require the standard
+End\-of\-DATA sequence <CR><LF>.<CR><LF>.
+Otherwise, allow command or message content lines ending in the
+non\-standard <LF>, and process them as if the client sent the
+standard <CR><LF>.
+.br
+.br
+This maintains compatibility
+with many legitimate SMTP client applications that send a mix of
+standard and non\-standard line endings, but will fail to receive
+email from client implementations that do not terminate DATA content
+with the standard End\-of\-DATA sequence
+<CR><LF>.<CR><LF>.
+.br
+.br
+Such clients
+can be excluded with smtpd_forbid_bare_newline_exclusions.
+.br
+.IP "\fByes\fR"
+Compatibility alias for \fBnormalize\fR.
+.br
+.IP "\fBreject\fR"
+Require the standard End\-of\-DATA
+sequence <CR><LF>.<CR><LF>. Reject a command
+or message content when a line contains bare <LF>, log a "bare
+<LF> received" error, and reply with the SMTP status code in
+$smtpd_forbid_bare_newline_reject_code.
+.br
+.br
+This will reject
+email from SMTP clients that send any non\-standard line endings
+such as web applications, netcat, or load balancer health checks.
+.br
+.br
+This will also reject email from services that use BDAT
+to send MIME text containing a bare newline (RFC 3030 Section 3
+requires canonical MIME format for text message types, defined in
+RFC 2045 Sections 2.7 and 2.8).
+.br
+.br
+Such clients can be
+excluded with smtpd_forbid_bare_newline_exclusions (or, in the case
+of BDAT violations, BDAT can be selectively disabled with
+smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
+smtpd_discard_ehlo_keywords).
+.br
+.IP "\fBno\fR (default)"
+Do not require the standard
+End\-of\-DATA
+sequence <CR><LF>.<CR><LF>. Always process
+a bare <LF> as if the client sent <CR><LF>. This
+option is fully backwards compatible, but is not recommended for
+an Internet\-facing SMTP server, because it is vulnerable to SMTP smuggling.
+.br
+.br
.PP
-Example:
+Recommended settings:
.sp
.in +4
.nf
.na
.ft C
-# Disconnect remote SMTP clients that send bare newlines, but allow
-# local clients with non\-standard SMTP implementations such as netcat,
-# fax machines, or load balancer health checks.
+# Require the standard End\-of\-DATA sequence <CR><LF>.<CR><LF>.
+# Otherwise, allow bare <LF> and process it as if the client sent
+# <CR><LF>.
#
-smtpd_forbid_bare_newline = yes
+# This maintains compatibility with many legitimate SMTP client
+# applications that send a mix of standard and non\-standard line
+# endings, but will fail to receive email from client implementations
+# that do not terminate DATA content with the standard End\-of\-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
+#
+smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
.ft R
.in -4
.PP
-This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
-3.6.13, and 3.5.23.
-.SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks)
-Exclude the specified clients from smtpd_forbid_bare_newline
-enforcement. It uses the same syntax and parent\-domain matching
-behavior as mynetworks.
-.PP
-Example:
+Alternative:
.sp
.in +4
.nf
.na
.ft C
-# Disconnect remote SMTP clients that send bare newlines, but allow
-# local clients with non\-standard SMTP implementations such as netcat,
-# fax machines, or load balancer health checks.
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End\-of\-DATA sequence <CR><LF>.<CR><LF>.
+#
+# This will reject email from SMTP clients that send any non\-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
#
-smtpd_forbid_bare_newline = yes
+# This will also reject email from services that use BDAT to send
+# MIME text containing a bare newline (RFC 3030 Section 3 requires
+# canonical MIME format for text message types, defined in RFC 2045
+# Sections 2.7 and 2.8).
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
+#
+smtpd_forbid_bare_newline = reject
smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
+# /path/to/file:
+# 10.0.0.0/24 chunking, silent\-discard
+# smtpd_discard_ehlo_keywords = chunking, silent\-discard
.fi
.ad
.ft R
.in -4
.PP
+This feature with settings \fByes\fR and \fBno\fR is available
+in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the
+settings \fBreject\fR, and \fBnormalize\fR are available with
+Postfix >= 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24.
+.SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks)
+Exclude the specified clients from smtpd_forbid_bare_newline
+enforcement. This setting uses the same syntax and parent\-domain
+matching behavior as mynetworks.
+.PP
This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23.
+.SH smtpd_forbid_bare_newline_reject_code (default: 550)
+The numerical Postfix SMTP server response code when rejecting a
+request with "smtpd_forbid_bare_newline = reject".
+Specify a 5XX status code (521 to disconnect).
+.PP
+This feature is available in Postfix >= 3.9, 3.8.5, 3.7.10,
+3.6.14, and 3.5.24.
.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)
Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
command pipelining constraints. The server replies with "554 5.5.0
diff -Nru postfix-3.5.23/man/man8/cleanup.8 postfix-3.5.24/man/man8/cleanup.8
--- postfix-3.5.23/man/man8/cleanup.8 2019-11-09 19:00:16.000000000 -0500
+++ postfix-3.5.24/man/man8/cleanup.8 2024-01-19 14:26:14.000000000 -0500
@@ -146,6 +146,14 @@
.IP "\fBmessage_strip_characters (empty)\fR"
The set of characters that Postfix will remove from message
content.
+.PP
+Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14,
+3.5.24, and later:
+.IP "\fBcleanup_replace_stray_cr_lf (yes)\fR"
+Replace each stray <CR> or <LF> character in message
+content with a space character, to prevent outbound SMTP smuggling,
+and to make the evaluation of Postfix\-added DKIM or other signatures
+independent from how a remote mail server handles such characters.
.SH "BEFORE QUEUE MILTER CONTROLS"
.na
.nf
diff -Nru postfix-3.5.23/man/man8/smtpd.8 postfix-3.5.24/man/man8/smtpd.8
--- postfix-3.5.23/man/man8/smtpd.8 2023-12-22 13:58:15.000000000 -0500
+++ postfix-3.5.24/man/man8/smtpd.8 2024-01-19 14:24:14.000000000 -0500
@@ -812,12 +812,17 @@
.PP
Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
.IP "\fBsmtpd_forbid_bare_newline (Postfix < 3.9: no)\fR"
-Reply with "Error: bare <LF> received" and disconnect
-when a remote SMTP client sends a line ending in <LF>, violating
-the RFC 5321 requirement that lines must end in <CR><LF>.
+Reject or restrict input lines from an SMTP client that end in
+<LF> instead of the standard <CR><LF>.
.IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
Exclude the specified clients from smtpd_forbid_bare_newline
enforcement.
+.PP
+Available in Postfix 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and
+later:
+.IP "\fBsmtpd_forbid_bare_newline_reject_code (550)\fR"
+The numerical Postfix SMTP server response code when rejecting a
+request with "smtpd_forbid_bare_newline = reject".
.SH "TARPIT CONTROLS"
.na
.nf
diff -Nru postfix-3.5.23/mantools/postlink postfix-3.5.24/mantools/postlink
--- postfix-3.5.23/mantools/postlink 2023-12-22 13:55:36.000000000 -0500
+++ postfix-3.5.24/mantools/postlink 2024-01-19 14:16:32.000000000 -0500
@@ -548,8 +548,10 @@
s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g;
s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
- s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g;
- s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline_exclusions\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">$&</a>;g;
+ s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_new[-</bB>]*\n*[ <bB>]*line\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g;
+ s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_new[-</bB>]*\n*[ <bB>]*line_reject_code\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">$&</a>;g;
+ s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_new[-</bB>]*\n*[ <bB>]*line_exclusions\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">$&</a>;g;
+ s;\bcleanup_replace_stray_cr_lf\b;<a href="postconf.5.html#cleanup_replace_stray_cr_lf">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;
diff -Nru postfix-3.5.23/proto/postconf.proto postfix-3.5.24/proto/postconf.proto
--- postfix-3.5.23/proto/postconf.proto 2023-12-22 13:55:36.000000000 -0500
+++ postfix-3.5.24/proto/postconf.proto 2024-01-21 16:22:34.000000000 -0500
@@ -17865,55 +17865,169 @@
%PARAM smtpd_forbid_bare_newline Postfix < 3.9: no
-<p> Reply with "Error: bare <LF> received" and disconnect
-when a remote SMTP client sends a line ending in <LF>, violating
-the RFC 5321 requirement that lines must end in <CR><LF>.
-This feature is disbled by default with Postfix < 3.9. Use
-smtpd_forbid_bare_newline_exclusions to exclude non-standard clients
-such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
-(not recommended for an Internet-connected MTA). </p>
+<p> Reject or restrict input lines from an SMTP client that end in
+<LF> instead of the standard <CR><LF>. Such line
+endings are commonly allowed with UNIX-based SMTP servers, but they
+violate RFC 5321, and allowing such line endings can make a server
+vulnerable to <a href="https://www.postfix.org/smtp-smuggling.html";>
+SMTP smuggling</a>. </p>
+
+<p> Specify one of the following values (case does not matter): </p>
+
+<dl compact>
+
+<dt> <b>normalize</b></dt> <dd> Require the standard
+End-of-DATA sequence <CR><LF>.<CR><LF>.
+Otherwise, allow command or message content lines ending in the
+non-standard <LF>, and process them as if the client sent the
+standard <CR><LF>. <br> <br> This maintains compatibility
+with many legitimate SMTP client applications that send a mix of
+standard and non-standard line endings, but will fail to receive
+email from client implementations that do not terminate DATA content
+with the standard End-of-DATA sequence
+<CR><LF>.<CR><LF>. <br> <br> Such clients
+can be excluded with smtpd_forbid_bare_newline_exclusions. </dd>
+
+<dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
+
+<dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
+sequence <CR><LF>.<CR><LF>. Reject a command
+or message content when a line contains bare <LF>, log a "bare
+<LF> received" error, and reply with the SMTP status code in
+$smtpd_forbid_bare_newline_reject_code. <br> <br> This will reject
+email from SMTP clients that send any non-standard line endings
+such as web applications, netcat, or load balancer health checks.
+<br> <br> This will also reject email from services that use BDAT
+to send MIME text containing a bare newline (RFC 3030 Section 3
+requires canonical MIME format for text message types, defined in
+RFC 2045 Sections 2.7 and 2.8). <br> <br> Such clients can be
+excluded with smtpd_forbid_bare_newline_exclusions (or, in the case
+of BDAT violations, BDAT can be selectively disabled with
+smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
+smtpd_discard_ehlo_keywords). </dd>
+
+<dt> <b>no</b> (default)</dt> <dd> Do not require the standard
+End-of-DATA
+sequence <CR><LF>.<CR><LF>. Always process
+a bare <LF> as if the client sent <CR><LF>. This
+option is fully backwards compatible, but is not recommended for
+an Internet-facing SMTP server, because it is vulnerable to <a
+href="https://www.postfix.org/smtp-smuggling.html";> SMTP smuggling</a>.
+</dd>
-<p> See <a href="https://www.postfix.org/smtp-smuggling.html";>
-https://www.postfix.org/smtp-smuggling.html</a> for details.
+</dl>
-<p> Example: </p>
+<p> Recommended settings: </p>
<blockquote>
<pre>
-# Disconnect remote SMTP clients that send bare newlines, but allow
-# local clients with non-standard SMTP implementations such as netcat,
-# fax machines, or load balancer health checks.
+# Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+# Otherwise, allow bare <LF> and process it as if the client sent
+# <CR><LF>.
#
-smtpd_forbid_bare_newline = yes
+# This maintains compatibility with many legitimate SMTP client
+# applications that send a mix of standard and non-standard line
+# endings, but will fail to receive email from client implementations
+# that do not terminate DATA content with the standard End-of-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
+#
+smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
-<p> This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9,
-3.6.13, and 3.5.23. </p>
-
-%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks
-
-<p> Exclude the specified clients from smtpd_forbid_bare_newline
-enforcement. It uses the same syntax and parent-domain matching
-behavior as mynetworks. </p>
-
-<p> Example: </p>
+<p> Alternative: </p>
<blockquote>
<pre>
-# Disconnect remote SMTP clients that send bare newlines, but allow
-# local clients with non-standard SMTP implementations such as netcat,
-# fax machines, or load balancer health checks.
+# Reject input lines that contain <LF> and log a "bare <LF> received"
+# error. Require that input lines end in <CR><LF>, and require the
+# standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+#
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
+#
+# This will also reject email from services that use BDAT to send
+# MIME text containing a bare newline (RFC 3030 Section 3 requires
+# canonical MIME format for text message types, defined in RFC 2045
+# Sections 2.7 and 2.8).
#
-smtpd_forbid_bare_newline = yes
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
+#
+smtpd_forbid_bare_newline = reject
smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
+# /path/to/file:
+# 10.0.0.0/24 chunking, silent-discard
+# smtpd_discard_ehlo_keywords = chunking, silent-discard
</pre>
</blockquote>
+<p> This feature with settings <b>yes</b> and <b>no</b> is available
+in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the
+settings <b>reject</b>, and <b>normalize</b> are available with
+Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. </p>
+
+%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks
+
+<p> Exclude the specified clients from smtpd_forbid_bare_newline
+enforcement. This setting uses the same syntax and parent-domain
+matching behavior as mynetworks. </p>
+
<p> This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
+%PARAM smtpd_forbid_bare_newline_reject_code 550
+
+<p>
+The numerical Postfix SMTP server response code when rejecting a
+request with "smtpd_forbid_bare_newline = reject".
+Specify a 5XX status code (521 to disconnect).
+</p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10,
+3.6.14, and 3.5.24. </p>
+
+%PARAM cleanup_replace_stray_cr_lf yes
+
+<p> Replace each stray <CR> or <LF> character in message
+content with a space character, to prevent outbound SMTP smuggling,
+and to make the evaluation of Postfix-added DKIM or other signatures
+independent from how a remote mail server handles such characters.
+</p>
+
+<p> SMTP does not allow such characters unless they are part of a
+<CR><LF> sequence, and different mail systems handle
+such stray characters in an implementation-dependent manner. Stray
+<CR> or <LF> characters could be used for outbound
+SMTP smuggling, where an attacker uses a Postfix server to send
+message content with a non-standard End-of-DATA sequence that
+triggers inbound SMTP smuggling at a remote SMTP server.</p>
+
+<p> The replacement happens before all other content management,
+and before Postfix may add a DKIM etc. signature; if the signature
+were created first, the replacement could invalidate the signature.
+</p>
+
+<p> In addition to preventing SMTP smuggling, replacing stray
+<CR> or <LF> characters ensures that the result of
+signature validation by later mail system will not depend on how
+that mail system handles those stray characters in an
+implementation-dependent manner. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10,
+3.6.14, and 3.5.24. </p>
+
%PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes
<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
diff -Nru postfix-3.5.23/README_FILES/RELEASE_NOTES postfix-3.5.24/README_FILES/RELEASE_NOTES
--- postfix-3.5.23/README_FILES/RELEASE_NOTES 2023-12-22 13:57:33.000000000 -0500
+++ postfix-3.5.24/README_FILES/RELEASE_NOTES 2024-01-21 17:46:01.000000000 -0500
@@ -24,32 +24,105 @@
more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
+
+Incompatibility with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
+==============================================================
-Major changes with Postfix 3.5.23
-=================================
+Improvements for outbound SMTP smuggling defense:
+
+- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup
+ daemon replaces each stray <CR> or <LF> character in message
+ content with a space character. The replacement happens before
+ any other content management (header/body_checks, Milters, etc).
+
+ This prevents outbound SMTP smuggling, where an attacker uses
+ Postfix to send email containing a non-standard End-of-DATA
+ sequence, to exploit inbound SMTP smuggling at a vulnerable remote
+ SMTP server.
+
+ This also improves the remote evaluation of Postfix-added DKIM
+ and other signatures, as the evaluation result will not depend
+ on how a remote email server handles stray <CR> or <LF> characters.
+
+This feature applies to all email that Postfix locally or remotely
+sends out. It is not allowlisted based on client identity.
+
+Major changes with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
+============================================================
+
+Improvements for inbound SMTP smuggling defense:
+
+- Better compatibility: the recommended setting "smtpd_forbid_bare_newline
+ = normalize" requires the standard End-of-DATA sequence
+ <CR><LF>.<CR><LF>, but allows bare newlines from SMTP clients,
+ maintaining more compatibility with existing infrastructure.
+
+- Improved logging for rejected input (it now includes queue ID,
+ helo, mail, and rcpt, if available).
+
+- The setting "smtpd_forbid_bare_newline = reject" requires
+ that input lines end in <CR><LF>, requires the standard End-of-DATA
+ sequence <CR><LF>.<CR><LF>, and rejects a command or message that
+ contains a bare newline. To disconnect the client, specify
+ "smtpd_forbid_bare_newline_reject_code = 521".
+
+- The Postfix SMTP server no longer strips extra <CR> as in
+ <CR><LF>.<CR><CR><LF>, to silence false alarms from test tools
+ that send attack sequences that real mail servers cannot send.
+ Details at https://www.postfix.org/false-smuggling-claims.html
+
+- The old setting "yes" has become an alias for "normalize".
+
+- The old setting "no" has not changed, and allows SMTP smuggling.
-Security: the Postfix SMTP server optionally disconnects a remote
-SMTP client that sends a 'bare newline' line ending in SMTP. This
-prevents an SMTP smuggling attack on recipients at a Postfix server.
-For background, see https://www.postfix.org/smtp-smuggling.html
-
-Sites concerned about SMTP smuggling attacks should enable this
-feature in Internet-facing Postfix servers. For compatibility with
-non-standard clients, Postfix by default excludes clients in
-mynetworks from this countermeasure.
-
-The recommended settings are:
-
- # Optionally disconnect remote SMTP clients that send bare newlines,
- # but allow local clients with non-standard SMTP implementations
- # such as netcat, fax machines, or load balancer health checks.
+The recommended settings are now:
+
+ # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+ # Otherwise, allow bare <LF> and process it as if the client sent
+ # <CR><LF>.
+ #
+ # This maintains compatibility with many legitimate SMTP client
+ # applications that send a mix of standard and non-standard line
+ # endings, but will fail to receive email from client implementations
+ # that do not terminate DATA content with the standard End-of-DATA
+ # sequence <CR><LF>.<CR><LF>.
#
- smtpd_forbid_bare_newline = no
+ # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+ # The example below allowlists SMTP clients in trusted networks.
+ #
+ smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
-This feature is back-ported from Postfix 3.9, with the difference
-that "smtpd_forbid_bare_newline = no" by default.
-
+Alternative settings:
+
+ # Reject input lines that contain <LF> and log a "bare <LF> received"
+ # error. Require that input lines end in <CR><LF>, and require the
+ # standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+ #
+ # This will reject email from SMTP clients that send any non-standard
+ # line endings such as web applications, netcat, or load balancer
+ # health checks.
+ #
+ # This will also reject email from services that use BDAT to send
+ # MIME text containing a bare newline (RFC 3030 Section 3 requires
+ # canonical MIME format for text message types, defined in RFC 2045
+ # Sections 2.7 and 2.8).
+ #
+ # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+ # The example below allowlists SMTP clients in trusted networks.
+ #
+ smtpd_forbid_bare_newline = reject
+ smtpd_forbid_bare_newline_exclusions = $mynetworks
+ #
+ # Alternatively, in the case of BDAT violations, BDAT can be selectively
+ # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+ # disabled with smtpd_discard_ehlo_keywords.
+ #
+ # smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
+ # /path/to/file:
+ # 10.0.0.0/24 chunking, silent-discard
+ # smtpd_discard_ehlo_keywords = chunking, silent-discard
+
Major changes with Postfix 3.5.20
=================================
diff -Nru postfix-3.5.23/RELEASE_NOTES postfix-3.5.24/RELEASE_NOTES
--- postfix-3.5.23/RELEASE_NOTES 2023-12-22 13:57:33.000000000 -0500
+++ postfix-3.5.24/RELEASE_NOTES 2024-01-21 17:46:01.000000000 -0500
@@ -24,32 +24,105 @@
more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
+
+Incompatibility with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
+==============================================================
-Major changes with Postfix 3.5.23
-=================================
+Improvements for outbound SMTP smuggling defense:
+
+- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup
+ daemon replaces each stray <CR> or <LF> character in message
+ content with a space character. The replacement happens before
+ any other content management (header/body_checks, Milters, etc).
+
+ This prevents outbound SMTP smuggling, where an attacker uses
+ Postfix to send email containing a non-standard End-of-DATA
+ sequence, to exploit inbound SMTP smuggling at a vulnerable remote
+ SMTP server.
+
+ This also improves the remote evaluation of Postfix-added DKIM
+ and other signatures, as the evaluation result will not depend
+ on how a remote email server handles stray <CR> or <LF> characters.
+
+This feature applies to all email that Postfix locally or remotely
+sends out. It is not allowlisted based on client identity.
+
+Major changes with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
+============================================================
+
+Improvements for inbound SMTP smuggling defense:
+
+- Better compatibility: the recommended setting "smtpd_forbid_bare_newline
+ = normalize" requires the standard End-of-DATA sequence
+ <CR><LF>.<CR><LF>, but allows bare newlines from SMTP clients,
+ maintaining more compatibility with existing infrastructure.
+
+- Improved logging for rejected input (it now includes queue ID,
+ helo, mail, and rcpt, if available).
+
+- The setting "smtpd_forbid_bare_newline = reject" requires
+ that input lines end in <CR><LF>, requires the standard End-of-DATA
+ sequence <CR><LF>.<CR><LF>, and rejects a command or message that
+ contains a bare newline. To disconnect the client, specify
+ "smtpd_forbid_bare_newline_reject_code = 521".
+
+- The Postfix SMTP server no longer strips extra <CR> as in
+ <CR><LF>.<CR><CR><LF>, to silence false alarms from test tools
+ that send attack sequences that real mail servers cannot send.
+ Details at https://www.postfix.org/false-smuggling-claims.html
+
+- The old setting "yes" has become an alias for "normalize".
+
+- The old setting "no" has not changed, and allows SMTP smuggling.
-Security: the Postfix SMTP server optionally disconnects a remote
-SMTP client that sends a 'bare newline' line ending in SMTP. This
-prevents an SMTP smuggling attack on recipients at a Postfix server.
-For background, see https://www.postfix.org/smtp-smuggling.html
-
-Sites concerned about SMTP smuggling attacks should enable this
-feature in Internet-facing Postfix servers. For compatibility with
-non-standard clients, Postfix by default excludes clients in
-mynetworks from this countermeasure.
-
-The recommended settings are:
-
- # Optionally disconnect remote SMTP clients that send bare newlines,
- # but allow local clients with non-standard SMTP implementations
- # such as netcat, fax machines, or load balancer health checks.
+The recommended settings are now:
+
+ # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+ # Otherwise, allow bare <LF> and process it as if the client sent
+ # <CR><LF>.
+ #
+ # This maintains compatibility with many legitimate SMTP client
+ # applications that send a mix of standard and non-standard line
+ # endings, but will fail to receive email from client implementations
+ # that do not terminate DATA content with the standard End-of-DATA
+ # sequence <CR><LF>.<CR><LF>.
#
- smtpd_forbid_bare_newline = no
+ # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+ # The example below allowlists SMTP clients in trusted networks.
+ #
+ smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
-This feature is back-ported from Postfix 3.9, with the difference
-that "smtpd_forbid_bare_newline = no" by default.
-
+Alternative settings:
+
+ # Reject input lines that contain <LF> and log a "bare <LF> received"
+ # error. Require that input lines end in <CR><LF>, and require the
+ # standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+ #
+ # This will reject email from SMTP clients that send any non-standard
+ # line endings such as web applications, netcat, or load balancer
+ # health checks.
+ #
+ # This will also reject email from services that use BDAT to send
+ # MIME text containing a bare newline (RFC 3030 Section 3 requires
+ # canonical MIME format for text message types, defined in RFC 2045
+ # Sections 2.7 and 2.8).
+ #
+ # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+ # The example below allowlists SMTP clients in trusted networks.
+ #
+ smtpd_forbid_bare_newline = reject
+ smtpd_forbid_bare_newline_exclusions = $mynetworks
+ #
+ # Alternatively, in the case of BDAT violations, BDAT can be selectively
+ # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+ # disabled with smtpd_discard_ehlo_keywords.
+ #
+ # smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
+ # /path/to/file:
+ # 10.0.0.0/24 chunking, silent-discard
+ # smtpd_discard_ehlo_keywords = chunking, silent-discard
+
Major changes with Postfix 3.5.20
=================================
diff -Nru postfix-3.5.23/src/cleanup/cleanup.c postfix-3.5.24/src/cleanup/cleanup.c
--- postfix-3.5.23/src/cleanup/cleanup.c 2019-11-09 19:00:15.000000000 -0500
+++ postfix-3.5.24/src/cleanup/cleanup.c 2024-01-19 14:16:32.000000000 -0500
@@ -128,6 +128,14 @@
/* .IP "\fBmessage_strip_characters (empty)\fR"
/* The set of characters that Postfix will remove from message
/* content.
+/* .PP
+/* Available in Postfix version 3.9, 3.8.5, 3.7.10, 3.6.14,
+/* 3.5.24, and later:
+/* .IP "\fBcleanup_replace_stray_cr_lf (yes)\fR"
+/* Replace each stray <CR> or <LF> character in message
+/* content with a space character, to prevent outbound SMTP smuggling,
+/* and to make the evaluation of Postfix-added DKIM or other signatures
+/* independent from how a remote mail server handles such characters.
/* BEFORE QUEUE MILTER CONTROLS
/* .ad
/* .fi
diff -Nru postfix-3.5.23/src/cleanup/cleanup_init.c postfix-3.5.24/src/cleanup/cleanup_init.c
--- postfix-3.5.23/src/cleanup/cleanup_init.c 2022-04-17 18:10:42.000000000 -0400
+++ postfix-3.5.24/src/cleanup/cleanup_init.c 2024-01-19 14:16:32.000000000 -0500
@@ -173,6 +173,7 @@
int var_always_add_hdrs; /* always add missing headers */
int var_virt_addrlen_limit; /* stop exponential growth */
char *var_hfrom_format; /* header_from_format */
+int var_cleanup_mask_stray_cr_lf; /* replace stray CR or LF with space */
const CONFIG_INT_TABLE cleanup_int_table[] = {
VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0,
@@ -189,6 +190,7 @@
VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
VAR_AUTO_8BIT_ENC_HDR, DEF_AUTO_8BIT_ENC_HDR, &var_auto_8bit_enc_hdr,
VAR_ALWAYS_ADD_HDRS, DEF_ALWAYS_ADD_HDRS, &var_always_add_hdrs,
+ VAR_CLEANUP_MASK_STRAY_CR_LF, DEF_CLEANUP_MASK_STRAY_CR_LF, &var_cleanup_mask_stray_cr_lf,
0,
};
diff -Nru postfix-3.5.23/src/cleanup/cleanup_message.c postfix-3.5.24/src/cleanup/cleanup_message.c
--- postfix-3.5.23/src/cleanup/cleanup_message.c 2021-07-24 18:20:43.000000000 -0400
+++ postfix-3.5.24/src/cleanup/cleanup_message.c 2024-01-19 14:16:32.000000000 -0500
@@ -930,6 +930,23 @@
char *dst;
/*
+ * Replace each stray CR or LF with one space. These are not allowed in
+ * SMTP, and can be used to enable outbound (remote) SMTP smuggling.
+ * Replacing these early ensures that our later DKIM etc. signature will
+ * not be invalidated. Besides preventing SMTP smuggling, replacing stray
+ * <CR> or <LF> ensures that the result of signature validation by a
+ * later mail system will not depend on how that mail system handles
+ * those stray characters in an implementation-dependent manner.
+ *
+ * The input length is not changed, therefore it is safe to overwrite the
+ * input.
+ */
+ if (var_cleanup_mask_stray_cr_lf)
+ for (dst = (char *) buf; dst < buf + len; dst++)
+ if (*dst == '\r' || *dst == '\n')
+ *dst = ' ';
+
+ /*
* Reject unwanted characters.
*
* XXX Possible optimization: simplify the loop when the "reject" set
diff -Nru postfix-3.5.23/src/global/cleanup_strerror.c postfix-3.5.24/src/global/cleanup_strerror.c
--- postfix-3.5.23/src/global/cleanup_strerror.c 2008-01-08 16:07:47.000000000 -0500
+++ postfix-3.5.24/src/global/cleanup_strerror.c 2024-01-19 14:22:28.000000000 -0500
@@ -67,6 +67,7 @@
CLEANUP_STAT_SIZE, 552, "5.3.4", "message file too big",
CLEANUP_STAT_CONT, 550, "5.7.1", "message content rejected",
CLEANUP_STAT_WRITE, 451, "4.3.0", "queue file write error",
+ CLEANUP_STAT_BARE_LF, 521, "5.5.2", "bare <LF> received",
};
static CLEANUP_STAT_DETAIL cleanup_stat_success = {
diff -Nru postfix-3.5.23/src/global/cleanup_user.h postfix-3.5.24/src/global/cleanup_user.h
--- postfix-3.5.23/src/global/cleanup_user.h 2014-07-13 11:15:53.000000000 -0400
+++ postfix-3.5.24/src/global/cleanup_user.h 2024-01-19 14:16:32.000000000 -0500
@@ -64,6 +64,12 @@
#define CLEANUP_STAT_DEFER (1<<8) /* Temporary reject */
/*
+ * Non-cleanup errors that live in the same bitmask space, to centralize
+ * error handling.
+ */
+#define CLEANUP_STAT_BARE_LF (1<<16) /* Bare <LF> received */
+
+ /*
* These are set when we can't bounce even if we were asked to.
*/
#define CLEANUP_STAT_MASK_CANT_BOUNCE \
diff -Nru postfix-3.5.23/src/global/mail_params.h postfix-3.5.24/src/global/mail_params.h
--- postfix-3.5.23/src/global/mail_params.h 2023-12-22 13:55:36.000000000 -0500
+++ postfix-3.5.24/src/global/mail_params.h 2024-01-19 14:16:32.000000000 -0500
@@ -4145,11 +4145,18 @@
* Backwards compatibility.
*/
#define VAR_SMTPD_FORBID_BARE_LF "smtpd_forbid_bare_newline"
-#define DEF_SMTPD_FORBID_BARE_LF 0
+#define DEF_SMTPD_FORBID_BARE_LF "no"
#define VAR_SMTPD_FORBID_BARE_LF_EXCL "smtpd_forbid_bare_newline_exclusions"
#define DEF_SMTPD_FORBID_BARE_LF_EXCL "$" VAR_MYNETWORKS
+#define VAR_SMTPD_FORBID_BARE_LF_CODE "smtpd_forbid_bare_newline_reject_code"
+#define DEF_SMTPD_FORBID_BARE_LF_CODE 550
+
+#define VAR_CLEANUP_MASK_STRAY_CR_LF "cleanup_replace_stray_cr_lf"
+#define DEF_CLEANUP_MASK_STRAY_CR_LF 1
+extern int var_cleanup_mask_stray_cr_lf;
+
/*
* Share TLS sessions through tlsproxy(8).
*/
diff -Nru postfix-3.5.23/src/global/mail_version.h postfix-3.5.24/src/global/mail_version.h
--- postfix-3.5.23/src/global/mail_version.h 2023-12-22 13:56:18.000000000 -0500
+++ postfix-3.5.24/src/global/mail_version.h 2024-01-19 14:17:51.000000000 -0500
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20231222"
-#define MAIL_VERSION_NUMBER "3.5.23"
+#define MAIL_RELEASE_DATE "20240121"
+#define MAIL_VERSION_NUMBER "3.5.24"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.5.23/src/global/smtp_stream.c postfix-3.5.24/src/global/smtp_stream.c
--- postfix-3.5.23/src/global/smtp_stream.c 2023-12-22 13:55:36.000000000 -0500
+++ postfix-3.5.24/src/global/smtp_stream.c 2024-01-19 14:16:32.000000000 -0500
@@ -51,7 +51,8 @@
/* char *format;
/* va_list ap;
/*
-/* int smtp_forbid_bare_lf;
+/* int smtp_detect_bare_lf;
+/* int smtp_got_bare_lf;
/* AUXILIARY API
/* int smtp_get_noexcept(vp, stream, maxlen, flags)
/* VSTRING *vp;
@@ -126,16 +127,16 @@
/* smtp_vprintf() is the machine underneath smtp_printf().
/*
/* smtp_get_noexcept() implements the subset of smtp_get()
-/* without long jumps for timeout or EOF errors. Instead,
+/* without timeouts and without making long jumps. Instead,
/* query the stream status with vstream_feof() etc.
-/* This function will make a VSTREAM long jump (error code
-/* SMTP_ERR_LF) when rejecting input with a bare newline byte.
+/*
+/* This function assigns smtp_got_bare_lf = smtp_detect_bare_lf,
+/* if smtp_detect_bare_lf is non-zero and the last read line
+/* was terminated with a bare newline. Otherwise, this function
+/* sets smtp_got_bare_lf to zero.
/*
/* smtp_timeout_setup() is a backwards-compatibility interface
/* for programs that don't require per-record deadline support.
-/*
-/* smtp_forbid_bare_lf controls whether smtp_get_noexcept()
-/* will reject input with a bare newline byte.
/* DIAGNOSTICS
/* .fi
/* .ad
@@ -208,7 +209,8 @@
#include "smtp_stream.h"
-int smtp_forbid_bare_lf;
+int smtp_detect_bare_lf;
+int smtp_got_bare_lf;
/* smtp_timeout_reset - reset per-stream error flags, restart deadline timer */
@@ -371,6 +373,8 @@
int last_char;
int next_char;
+ smtp_got_bare_lf = 0;
+
/*
* It's painful to do I/O with records that may span multiple buffers.
* Allow for partial long lines (we will read the remainder later) and
@@ -413,11 +417,15 @@
*/
case '\n':
vstring_truncate(vp, VSTRING_LEN(vp) - 1);
- if (smtp_forbid_bare_lf
- && (VSTRING_LEN(vp) == 0 || vstring_end(vp)[-1] != '\r'))
- vstream_longjmp(stream, SMTP_ERR_LF);
- while (VSTRING_LEN(vp) > 0 && vstring_end(vp)[-1] == '\r')
- vstring_truncate(vp, VSTRING_LEN(vp) - 1);
+ if (smtp_detect_bare_lf) {
+ if (VSTRING_LEN(vp) == 0 || vstring_end(vp)[-1] != '\r')
+ smtp_got_bare_lf = smtp_detect_bare_lf;
+ else
+ vstring_truncate(vp, VSTRING_LEN(vp) - 1);
+ } else {
+ while (VSTRING_LEN(vp) > 0 && vstring_end(vp)[-1] == '\r')
+ vstring_truncate(vp, VSTRING_LEN(vp) - 1);
+ }
VSTRING_TERMINATE(vp);
/* FALLTRHOUGH */
diff -Nru postfix-3.5.23/src/global/smtp_stream.h postfix-3.5.24/src/global/smtp_stream.h
--- postfix-3.5.23/src/global/smtp_stream.h 2023-12-22 13:55:36.000000000 -0500
+++ postfix-3.5.24/src/global/smtp_stream.h 2024-01-19 14:16:32.000000000 -0500
@@ -32,7 +32,6 @@
#define SMTP_ERR_QUIET 3 /* silent cleanup (application) */
#define SMTP_ERR_NONE 4 /* non-error case */
#define SMTP_ERR_DATA 5 /* application data error */
-#define SMTP_ERR_LF 6 /* bare <LF> protocol error */
extern void smtp_stream_setup(VSTREAM *, int, int);
extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...);
@@ -44,7 +43,8 @@
extern void smtp_fwrite(const char *, ssize_t len, VSTREAM *);
extern void smtp_fread_buf(VSTRING *, ssize_t len, VSTREAM *);
extern void smtp_fputc(int, VSTREAM *);
-extern int smtp_forbid_bare_lf;
+extern int smtp_detect_bare_lf;
+extern int smtp_got_bare_lf;
extern void smtp_vprintf(VSTREAM *, const char *, va_list);
diff -Nru postfix-3.5.23/src/smtpd/smtpd.c postfix-3.5.24/src/smtpd/smtpd.c
--- postfix-3.5.23/src/smtpd/smtpd.c 2023-12-22 13:55:36.000000000 -0500
+++ postfix-3.5.24/src/smtpd/smtpd.c 2024-01-19 14:16:32.000000000 -0500
@@ -766,12 +766,17 @@
/* .PP
/* Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
/* .IP "\fBsmtpd_forbid_bare_newline (Postfix < 3.9: no)\fR"
-/* Reply with "Error: bare <LF> received" and disconnect
-/* when a remote SMTP client sends a line ending in <LF>, violating
-/* the RFC 5321 requirement that lines must end in <CR><LF>.
+/* Reject or restrict input lines from an SMTP client that end in
+/* <LF> instead of the standard <CR><LF>.
/* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
/* Exclude the specified clients from smtpd_forbid_bare_newline
/* enforcement.
+/* .PP
+/* Available in Postfix 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and
+/* later:
+/* .IP "\fBsmtpd_forbid_bare_newline_reject_code (550)\fR"
+/* The numerical Postfix SMTP server response code when rejecting a
+/* request with "smtpd_forbid_bare_newline = reject".
/* TARPIT CONTROLS
/* .ad
/* .fi
@@ -1477,8 +1482,10 @@
char *var_smtpd_uproxy_proto;
int var_smtpd_uproxy_tmout;
-bool var_smtpd_forbid_bare_lf;
+char *var_smtpd_forbid_bare_lf;
char *var_smtpd_forbid_bare_lf_excl;
+int var_smtpd_forbid_bare_lf_code;
+static int bare_lf_mask;
static NAMADR_LIST *bare_lf_excl;
/*
@@ -1555,7 +1562,6 @@
#define REASON_TIMEOUT "timeout"
#define REASON_LOST_CONNECTION "lost connection"
#define REASON_ERROR_LIMIT "too many errors"
-#define REASON_BARE_LF "bare <LF> received"
#ifdef USE_TLS
@@ -1574,6 +1580,40 @@
*/
static DICT *smtpd_cmd_filter;
+ /*
+ * Bare LF and End-of-DATA controls (bare CR is handled elsewhere).
+ *
+ * At the smtp_get*() line reader level, setting any of these flags in the
+ * smtp_detect_bare_lf variable enables the detection of bare newlines. The
+ * line reader will set the same flags in the smtp_got_bare_lf variable
+ * after it detects a bare newline, otherwise it clears smtp_got_bare_lf.
+ *
+ * At the SMTP command level, the flags in smtp_got_bare_lf control whether
+ * commands ending in a bare newline are rejected.
+ *
+ * At the DATA and BDAT content level, the flags in smtp_got_bare_lf control
+ * whether the standard End-of-DATA sequence CRLF.CRLF is required, and
+ * whether lines ending in bare newlines are rejected.
+ *
+ * Postfix implements "delayed reject" after detecting a bare newline in BDAT
+ * or DATA content. The SMTP server delays a REJECT response until the
+ * command is finished, instead of replying and hanging up immediately. The
+ * End-of-DATA detection is secured with BARE_LF_FLAG_WANT_STD_EOD.
+ */
+#define BARE_LF_FLAG_WANT_STD_EOD (1<<0) /* Require CRLF.CRLF */
+#define BARE_LF_FLAG_REPLY_REJECT (1<<1) /* Reject bare newline */
+
+#define IS_BARE_LF_WANT_STD_EOD(m) ((m) & BARE_LF_FLAG_WANT_STD_EOD)
+#define IS_BARE_LF_REPLY_REJECT(m) ((m) & BARE_LF_FLAG_REPLY_REJECT)
+
+static const NAME_CODE bare_lf_mask_table[] = {
+ "normalize", BARE_LF_FLAG_WANT_STD_EOD, /* Default */
+ "yes", BARE_LF_FLAG_WANT_STD_EOD, /* Migration aid */
+ "reject", BARE_LF_FLAG_WANT_STD_EOD | BARE_LF_FLAG_REPLY_REJECT,
+ "no", 0,
+ 0, -1, /* error */
+};
+
#ifdef USE_SASL_AUTH
/*
@@ -3516,6 +3556,7 @@
int curr_rec_type;
int prev_rec_type;
int first = 1;
+ int prev_got_bare_lf = 0;
/*
* Copy the message content. If the cleanup process has a problem, keep
@@ -3529,12 +3570,15 @@
* XXX Deal with UNIX-style From_ lines at the start of message content
* because sendmail permits it.
*/
- for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) {
+ for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type,
+ prev_got_bare_lf = smtp_got_bare_lf) {
if (smtp_get(state->buffer, state->client, var_line_limit,
SMTP_GET_FLAG_NONE) == '\n')
curr_rec_type = REC_TYPE_NORM;
else
curr_rec_type = REC_TYPE_CONT;
+ if (IS_BARE_LF_REPLY_REJECT(smtp_got_bare_lf))
+ state->err |= CLEANUP_STAT_BARE_LF;
start = vstring_str(state->buffer);
len = VSTRING_LEN(state->buffer);
if (first) {
@@ -3547,9 +3591,14 @@
if (len > 0 && IS_SPACE_TAB(start[0]))
out_record(out_stream, REC_TYPE_NORM, "", 0);
}
- if (prev_rec_type != REC_TYPE_CONT && *start == '.'
- && (proxy == 0 ? (++start, --len) == 0 : len == 1))
- break;
+ if (prev_rec_type != REC_TYPE_CONT && *start == '.') {
+ if (len == 1 && IS_BARE_LF_WANT_STD_EOD(smtp_detect_bare_lf)
+ && (smtp_got_bare_lf || prev_got_bare_lf))
+ /* Do not store or send to proxy filter. */
+ continue;
+ if (proxy == 0 ? (++start, --len) == 0 : len == 1)
+ break;
+ }
if (state->err == CLEANUP_STAT_OK) {
if (ENFORCING_SIZE_LIMIT(var_message_limit)
&& var_message_limit - state->act_size < len + 2) {
@@ -3702,6 +3751,11 @@
else
smtpd_chat_reply(state,
"250 2.0.0 Ok: queued as %s", state->queue_id);
+ } else if ((state->err & CLEANUP_STAT_BARE_LF) != 0) {
+ state->error_mask |= MAIL_ERROR_PROTOCOL;
+ log_whatsup(state, "reject", "bare <LF> received");
+ smtpd_chat_reply(state, "%d 5.5.2 %s Error: bare <LF> received",
+ var_smtpd_forbid_bare_lf_code, var_myhostname);
} else if (why && IS_SMTP_REJECT(STR(why))) {
state->error_mask |= MAIL_ERROR_POLICY;
smtpd_chat_reply(state, "%s", STR(why));
@@ -3982,7 +4036,6 @@
*/
done = 0;
do {
- int payload_err;
/*
* Do not skip the smtp_fread_buf() call if read_len == 0. We still
@@ -3996,10 +4049,6 @@
smtp_fread_buf(state->buffer, read_len, state->client);
state->bdat_get_stream = vstream_memreopen(
state->bdat_get_stream, state->buffer, O_RDONLY);
- vstream_control(state->bdat_get_stream, CA_VSTREAM_CTL_EXCEPT,
- CA_VSTREAM_CTL_END);
- if ((payload_err = vstream_setjmp(state->bdat_get_stream)) != 0)
- vstream_longjmp(state->client, payload_err);
/*
* Read lines from the fragment. The last line may continue in the
@@ -4024,6 +4073,8 @@
/* Skip the out_record() and VSTRING_RESET() calls below. */
break;
}
+ if (IS_BARE_LF_REPLY_REJECT(smtp_got_bare_lf))
+ state->err |= CLEANUP_STAT_BARE_LF;
start = vstring_str(state->bdat_get_buffer);
len = VSTRING_LEN(state->bdat_get_buffer);
if (state->err == CLEANUP_STAT_OK) {
@@ -4675,9 +4726,9 @@
*/
xclient_allowed =
namadr_list_match(xclient_hosts, state->name, state->addr);
- smtp_forbid_bare_lf = SMTPD_STAND_ALONE((state)) == 0
- && var_smtpd_forbid_bare_lf
- && !namadr_list_match(bare_lf_excl, state->name, state->addr);
+ smtp_detect_bare_lf = (SMTPD_STAND_ALONE((state)) == 0 && bare_lf_mask
+ && !namadr_list_match(bare_lf_excl, state->name, state->addr)) ?
+ bare_lf_mask : 0;
/* NOT: tls_reset() */
if (got_helo == 0)
helo_reset(state);
@@ -5496,13 +5547,6 @@
var_myhostname);
break;
- case SMTP_ERR_LF:
- state->reason = REASON_BARE_LF;
- if (vstream_setjmp(state->client) == 0)
- smtpd_chat_reply(state, "521 5.5.2 %s Error: bare <LF> received",
- var_myhostname);
- break;
-
case 0:
/*
@@ -5719,6 +5763,13 @@
}
watchdog_pat();
smtpd_chat_query(state);
+ if (IS_BARE_LF_REPLY_REJECT(smtp_got_bare_lf)) {
+ log_whatsup(state, "reject", "bare <LF> received");
+ state->error_mask |= MAIL_ERROR_PROTOCOL;
+ smtpd_chat_reply(state, "%d 5.5.2 %s Error: bare <LF> received",
+ var_smtpd_forbid_bare_lf_code, var_myhostname);
+ break;
+ }
/* Safety: protect internal interfaces against malformed UTF-8. */
if (var_smtputf8_enable && valid_utf8_string(STR(state->buffer),
LEN(state->buffer)) == 0) {
@@ -6062,11 +6113,11 @@
namadr_list_match(xforward_hosts, state.name, state.addr);
/*
- * Enforce strict SMTP line endings, with compatibility exclusions.
+ * Reject or normalize bare LF, with compatibility exclusions.
*/
- smtp_forbid_bare_lf = SMTPD_STAND_ALONE((&state)) == 0
- && var_smtpd_forbid_bare_lf
- && !namadr_list_match(bare_lf_excl, state.name, state.addr);
+ smtp_detect_bare_lf = (SMTPD_STAND_ALONE((&state)) == 0 && bare_lf_mask
+ && !namadr_list_match(bare_lf_excl, state.name, state.addr)) ?
+ bare_lf_mask : 0;
/*
* See if we need to turn on verbose logging for this client.
@@ -6133,6 +6184,10 @@
MATCH_FLAG_RETURN
| match_parent_style(VAR_MYNETWORKS),
var_smtpd_forbid_bare_lf_excl);
+ if ((bare_lf_mask = name_code(bare_lf_mask_table, NAME_CODE_FLAG_NONE,
+ var_smtpd_forbid_bare_lf)) < 0)
+ msg_fatal("bad parameter value: '%s = %s'",
+ VAR_SMTPD_FORBID_BARE_LF, var_smtpd_forbid_bare_lf);
/*
* Open maps before dropping privileges so we can read passwords etc.
@@ -6428,6 +6483,7 @@
VAR_VIRT_MAILBOX_CODE, DEF_VIRT_MAILBOX_CODE, &var_virt_mailbox_code, 0, 0,
VAR_RELAY_RCPT_CODE, DEF_RELAY_RCPT_CODE, &var_relay_rcpt_code, 0, 0,
VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code, 0, 0,
+ VAR_SMTPD_FORBID_BARE_LF_CODE, DEF_SMTPD_FORBID_BARE_LF_CODE, &var_smtpd_forbid_bare_lf_code, 500, 599,
VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
VAR_SMTPD_CMAIL_LIMIT, DEF_SMTPD_CMAIL_LIMIT, &var_smtpd_cmail_limit, 0, 0,
@@ -6491,7 +6547,6 @@
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
- VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
@@ -6606,6 +6661,7 @@
VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0,
VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0,
+ VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf, 1, 0,
0,
};
static const CONFIG_RAW_TABLE raw_table[] = {
diff -Nru postfix-3.5.23/src/smtpd/smtpd_check.c postfix-3.5.24/src/smtpd/smtpd_check.c
--- postfix-3.5.23/src/smtpd/smtpd_check.c 2021-11-06 19:44:46.000000000 -0400
+++ postfix-3.5.24/src/smtpd/smtpd_check.c 2024-01-19 14:16:32.000000000 -0500
@@ -48,6 +48,11 @@
/*
/* char *smtpd_check_queue(state)
/* SMTPD_STATE *state;
+/* AUXILIARY FUNCTIONS
+/* void log_whatsup(state, action, text)
+/* SMTPD_STATE *state;
+/* const char *action;
+/* const char *text;
/* DESCRIPTION
/* This module implements additional checks on SMTP client requests.
/* A client request is validated in the context of the session state.
@@ -146,6 +151,11 @@
/* The recipient address given with the RCPT TO or VRFY command.
/* .IP size
/* The message size given with the MAIL FROM command (zero if unknown).
+/* .PP
+/* log_whatsup() logs "<queueid>: <action>: <protocol state>
+/* from: <client-name[client-addr]>: <text>" plus the protocol
+/* (SMTP or ESMTP), and if available, EHLO, MAIL FROM, or RCPT
+/* TO.
/* BUGS
/* Policies like these should not be hard-coded in C, but should
/* be user-programmable instead.
@@ -987,8 +997,8 @@
/* log_whatsup - log as much context as we have */
-static void log_whatsup(SMTPD_STATE *state, const char *whatsup,
- const char *text)
+void log_whatsup(SMTPD_STATE *state, const char *whatsup,
+ const char *text)
{
VSTRING *buf = vstring_alloc(100);
diff -Nru postfix-3.5.23/src/smtpd/smtpd_check.h postfix-3.5.24/src/smtpd/smtpd_check.h
--- postfix-3.5.23/src/smtpd/smtpd_check.h 2017-12-27 17:29:45.000000000 -0500
+++ postfix-3.5.24/src/smtpd/smtpd_check.h 2024-01-19 14:16:32.000000000 -0500
@@ -25,6 +25,7 @@
extern char *smtpd_check_data(SMTPD_STATE *);
extern char *smtpd_check_eod(SMTPD_STATE *);
extern char *smtpd_check_policy(SMTPD_STATE *, char *);
+extern void log_whatsup(SMTPD_STATE *, const char *, const char *);
/* LICENSE
/* .ad
--- End Message ---