diff --git a/postfix-main.cf.patch b/postfix-main.cf.patch index 2b0c699..b5c75d9 100644 --- a/postfix-main.cf.patch +++ b/postfix-main.cf.patch @@ -1,5 +1,7 @@ ---- conf/main.cf.orig 2022-11-14 15:57:24.689108581 +0100 -+++ conf/main.cf 2022-11-14 16:02:33.255317483 +0100 +Index: conf/main.cf +=================================================================== +--- conf/main.cf.orig ++++ conf/main.cf @@ -285,7 +285,7 @@ unknown_local_recipient_reject_code = 55 # #mynetworks = 168.100.3.0/28, 127.0.0.0/8 @@ -48,7 +50,7 @@ # PARALLEL DELIVERY TO THE SAME DESTINATION # -@@ -682,4 +683,149 @@ sample_directory = +@@ -682,4 +683,155 @@ sample_directory = # readme_directory: The location of the Postfix README files. # readme_directory = @@ -105,6 +107,12 @@ + +smtpd_recipient_restrictions = + ++# mitigation for CVE-2023-51764 - SMTP smuggling attack ++# but allow local clients with non-standard SMTP implementations ++# such as netcat, fax machines, or load balancer health checks. ++# ++smtpd_forbid_bare_newline = yes ++smtpd_forbid_bare_newline_exclusions = $mynetworks + +############################################################ +# SASL stuff diff --git a/postfix.changes b/postfix.changes index 50b9180..4adef6d 100644 --- a/postfix.changes +++ b/postfix.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Dec 28 07:57:23 UTC 2023 - Dirk Müller + +- update default configuration to enable the long-term fix for + bsc#1218304, CVE-2023-51764, SMTP smuggling attack: + * smtpd_forbid_bare_newline = yes + * smtpd_forbid_bare_newline_exclusions = $mynetworks + ------------------------------------------------------------------- Fri Dec 22 17:57:57 UTC 2023 - Arjen de Korte