kpriv
/
pkgsrc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mail/postfix: upadte to 3.8.5 

3.8.5 (2024-01-22)

Security: this release improves support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server. For
background, see https://www.postfix.org/smtp-smuggling.html.

The improvements provide better logging, and better compatibility with
existing SMTP clients (less need to allowlist clients).

Sites concerned about SMTP smuggling attacks should enable this feature
on Internet-facing Postfix servers. For compatibility with non-standard
clients, Postfix by default excludes clients in mynetworks from this
countermeasure.

The recommended settings are:

    # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    # Otherwise, allow bare <LF> and process it as if the client sent
    # <CR><LF>.
    #
    # This maintains compatibility with many legitimate SMTP client
    # applications that send a mix of standard and non-standard line
    # endings, but will fail to receive email from client implementations
    # that do not terminate DATA content with the standard End-of-DATA
    # sequence <CR><LF>.<CR><LF>.
    #
    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    # The example below allowlists SMTP clients in trusted networks.
    #
    smtpd_forbid_bare_newline = normalize
    smtpd_forbid_bare_newline_exclusions = $mynetworks

Notes:

  * The default setting is "smtpd_forbid_bare_newline = no" in Postfix
    releases < 3.9, for compatibility reasons. This means that Postfix
    is by default vulnerable to SMTP smuggling.

  * The new setting "smtpd_forbid_bare_newline = normalize" is the
    default for Postfix releases 3.9 and later.

  * The old setting "smtpd_forbid_bare_newline = yes" is now an alias for
    "smtpd_forbid_bare_newline = normalize".

  * The new setting "smtpd_forbid_bare_newline = reject" will refuse
    commands or message content with a bare newline. For details see
    the RELEASE_NOTES or the postconf(5) documentation.
This commit is contained in:
taca 2024-02-28 15:16:19 +00:00
parent 626145c75b
commit dd3a307b67
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
mail/postfix/Makefile.common
View File

@ -1,8 +1,8 @@
# $NetBSD: Makefile.common,v 1.46 2023/12/22 17:29:17 wiz Exp $
# $NetBSD: Makefile.common,v 1.47 2024/02/28 15:16:19 taca Exp $
# used by mail/postfix/Makefile
# used by mail/postfix/Makefile.module
DISTNAME= postfix-3.8.4
DISTNAME= postfix-3.8.5
CATEGORIES= mail
MASTER_SITES= ftp://ftp.porcupine.org/mirrors/postfix-release/official/

8
mail/postfix/distinfo
View File

@ -1,8 +1,8 @@
$NetBSD: distinfo,v 1.207 2023/12/22 17:29:17 wiz Exp $
$NetBSD: distinfo,v 1.208 2024/02/28 15:16:19 taca Exp $
BLAKE2s (postfix-3.8.4.tar.gz) = f0c1556f2d66b34d0ecb52d84846daec03fdbbfbf743d30a35e1b7d91f30e8e6
SHA512 (postfix-3.8.4.tar.gz) = 5bae3d62e104714aead1fff28a595bab4315227382f53c8dae2a231f4240e31abda19c1e3befc1db4c89bc5d66c9a43830390365aadabdac5cf36b493c5c48c7
Size (postfix-3.8.4.tar.gz) = 4864184 bytes
BLAKE2s (postfix-3.8.5.tar.gz) = c7a28244e2ea352f4631c30fe255e2946cf07a1473401ebc850c55578f4bebde
SHA512 (postfix-3.8.5.tar.gz) = 26005da5750e7af742f4fc7596ae8320467176e069546c3487418c663b54f56734b4a6541665b8d72d94df2e0fd4f68a2bcc44c50a6d950334d5a5fb2293dff4
Size (postfix-3.8.5.tar.gz) = 4871284 bytes
SHA1 (patch-aa) = c8216f133e202a7bb37682b0dbc1448f021e7c1c
SHA1 (patch-ag) = 8ab3cfafa63056f9a7f096da7e55bcccab965180
SHA1 (patch-ai) = 3d143532e1e9a149c6c06e2efadcd34f6f72e82d