Postfix stable release 3.8.5, 3.7.10, 3.6.14, 3.5.24

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.8.5.html]

[Fixes for Postfix versions < 3.5 will be linked from https://www.postfix.org/smtp-smuggling.html]

Fixed with Postfix 3.8.5, 3.7.10, 3.6.14, 3.5.24:

• Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html.

  The improvements provide better logging, and better compatibility with existing SMTP clients (less need to allowlist clients).

  Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure.

  The recommended settings are:

  # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
  # Otherwise, allow bare <LF> and process it as if the client sent
  # <CR><LF>.
  #
  # This maintains compatibility with many legitimate SMTP client
  # applications that send a mix of standard and non-standard line
  # endings, but will fail to receive email from client implementations
  # that do not terminate DATA content with the standard End-of-DATA
  # sequence <CR><LF>.<CR><LF>.
  #
  # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
  # The example below allowlists SMTP clients in trusted networks.
  #
  smtpd_forbid_bare_newline = normalize
  smtpd_forbid_bare_newline_exclusions = $mynetworks
  

  Notes:

  • The default setting is "smtpd_forbid_bare_newline = no" in Postfix releases < 3.9, for compatibility reasons. This means that Postfix is by default vulnerable to SMTP smuggling.

  • The new setting "smtpd_forbid_bare_newline = normalize" is the default for Postfix releases 3.9 and later.

  • The old setting "smtpd_forbid_bare_newline = yes" is now an alias for "smtpd_forbid_bare_newline = normalize".

  • The new setting "smtpd_forbid_bare_newline = reject" will refuse commands or message content with a bare newline. For details see the RELEASE_NOTES or the postconf(5) documentation.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.