=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2024/VULN049
_____________________________________________________________________

DATE                : 22/01/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Postfix versions prior to
                             3.8.5, 3.7.10, 3.6.14, 3.5.24.

=====================================================================
http://www.postfix.org/announcements/postfix-3.8.5.html
_____________________________________________________________________

  Postfix stable release 3.8.5, 3.7.10, 3.6.14, 3.5.24

[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.8.5.html]

[Fixes for Postfix versions < 3.5 will be linked from
https://www.postfix.org/smtp-smuggling.html]

Fixed with Postfix 3.8.5, 3.7.10, 3.6.14, 3.5.24:

     Security: this release improves support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server.
For background, see https://www.postfix.org/smtp-smuggling.html.

     The improvements provide better logging, and better compatibility
with existing SMTP clients (less need to allowlist clients).

     Sites concerned about SMTP smuggling attacks should enable this
feature on Internet-facing Postfix servers. For compatibility with
non-standard clients, Postfix by default excludes clients in
mynetworks from this countermeasure.

     The recommended settings are:

         # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
         # Otherwise, allow bare <LF> and process it as if the client sent
         # <CR><LF>.
         #
         # This maintains compatibility with many legitimate SMTP client
         # applications that send a mix of standard and non-standard line
         # endings, but will fail to receive email from client 
implementations
         # that do not terminate DATA content with the standard End-of-DATA
         # sequence <CR><LF>.<CR><LF>.
         #
         # Such clients can be allowlisted with 
smtpd_forbid_bare_newline_exclusions.
         # The example below allowlists SMTP clients in trusted networks.
         #
         smtpd_forbid_bare_newline = normalize
         smtpd_forbid_bare_newline_exclusions = $mynetworks

     Notes:

         The default setting is "smtpd_forbid_bare_newline = no" in Postfix
releases < 3.9, for compatibility reasons. This means that Postfix is by
default vulnerable to SMTP smuggling.

         The new setting "smtpd_forbid_bare_newline = normalize" is the
default for Postfix releases 3.9 and later.

         The old setting "smtpd_forbid_bare_newline = yes" is now an alias
for "smtpd_forbid_bare_newline = normalize".

         The new setting "smtpd_forbid_bare_newline = reject" will refuse
commands or message content with a bare newline. For details see the
RELEASE_NOTES or the postconf(5) documentation.

You can find the updated Postfix source code at the mirrors listed
at https://www.postfix.org/.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================