• Info

  • Postfix - SMTP Smuggling Attack

There is a new attack against Postfix: SMTP Smuggling, please read: https://www.postfix.org/smtp-smuggling.html

Debian already implemented the fix, but we need to modify /etc/postfix/main.cf and restart Postfix.

  • Add this lines at the end of the file /etc/postfix/main.cf:

    # SMTP Smuggling  -  https://www.postfix.org/smtp-smuggling.html
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
#

    Please note: SuSE did not implement this fix up to today (1.1.2024). I hope, SuSE will implement the fix in the next days. If you are on an SuSE system, please read the article mentioned above, for some suggestions how to implement a temporary fix on your system. You my add this lines also to an Postfix on SuSE, when SuSE implements the fix, the configuration is already in place.

  • Set the compatibility level to 3.7 (a requirement):
    postconf compatibility_level=3.7

  • Check the Postfix configuration:
    postfix check
    Please not, Debian should not report any issues, SuSE should report two unused parameters (smtpd_forbid_bare_newline=yes and smtpd_forbid_bare_newline_exclusions=$mynetworks) as long as SuSE did not implement the fix.

  • Restart Postfix:
    systemctl restart postfix

  • Debian, the fix is now active. SuSE see above.

  • For the fix on Open SuSE 15.6, see the post #. 12: https://community.grommunio.com/d/1393-postfix-smtp-smuggling-attack/12

Hi Walter H,

thanks for your afforts to keep us on the safe side :-)

Perhaps I have mistaken, but I get the following errormessage when executing postfix check

postfix: fatal: bad numerical configuration: compatibility_level = 3.7

OS is suse (the Appliance).

can you help somehow?

Thank you

If you have an older OS, try compatibility_level = 3.6 or 3.5.

ok thanks, went all the way down to 3 and that worked. now it is "only" complaining about the two new parameters

    emtie down to 3

    which OS and which Postfix version you are using?

      cat /etc/os-release says:

      NAME="grommunio"
VERSION="2023.11.2"
ID"grommunio-lds"
ID_LIKE="suse"
VERSION_ID="2023.11.2"
PRETTY_NAME="grommunio"
...

      And postconf -d | grep mail_version says

      mail_version = 3.5.9

      Your postfix seams to be outdated, my system reports:

      # cat /etc/os-release
NAME="grommunio"
VERSION="2023.11.2"
ID="grommunio-lds"
ID_LIKE="suse"
VERSION_ID="2023.11.2"
PRETTY_NAME="grommunio"
ANSI_COLOR="0;36"
HOME_URL="https://grommunio.com/"
DOCUMENTATION_URL="https://docs.grommunio.com/"

      My Postfix reports: 3.7.3, this is the expected version.

      # postconf -d | grep mail_version
mail_version = 3.7.3

      Try to update your system:
      zypper ref -f; zypper up
      or better:
      zypper ref -f; zypper dup

      Hi WalterH,

      I did zypper ref -f; zypper dup but zypper did hold back some update. those updates are "bind-utils gio-branding-openSUSE postfix postfix-mysql xen-libs yast2-network"

      First Error Message is:
      "Nichts stellt libuv1 = 1.44.2 bereit, dass vom zu installierenden bind-utils-9.16.42-150500.8.3.1.x86_64 benötigt wird"

      what can i do? I don't know if the respoitory is of interest or relevant for the error - I am on the supported version repository...

      So, did try to update only postfix by using zypper update postfix ->Problem: nichts stellt 'liblmdb-0.9.30.so()(64bit)' bereit, das vom zu installierenden postfix-3.7.3-150500.3.11.1.x86_64 benötigt wird

      hmpft, does somebody have a solution for this?

      found the solution. the base respository was on openSUSE version 15.4. while the grommunio repositories were von 15.5... after updating everything worked well

      did you run a zypper ref -f; zypper dup to update all packages?

      a year later

      SuSE implemented the fix for the SMTP Smuggling attack with Open SuSE 15.6.

      • update to Open SuSE 15.6 https://community.grommunio.com/d/1879-update-form-open-suse-155-to-156 and modify the /etc/postfix/main.cf file.

      • Set the compatibility level to 3.8 (a requirement):
        postconf compatibility_level=3.8

      • Add the two new parameters
        postconf smtpd_forbid_bare_newline = yes
        postconf smtpd_forbid_bare_newline_exclusions = $mynetworks

      • Check the Postfix configuration:
        postfix check
        Please not, SuSE should not report any issues any longer.

      • Restart Postfix:
        systemctl restart postfix

      © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice