The Postfix team have released version 3.8.4 to fix smtp smuggling. https://www.postfix.org/smtp-smuggling.html https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Advisory ======== Postfix has been updated to fix smtp smuggling, an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>. References ========== https://www.postfix.org/smtp-smuggling.html https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ Files ===== Uploaded to core/updates_testing postfix-ldap-3.8.4-1.mga9 postfix-pgsql-3.8.4-1.mga9 postfix-cdb-3.8.4-1.mga9 postfix-sqlite-3.8.4-1.mga9 postfix-pcre-3.8.4-1.mga9 postfix-mysql-3.8.4-1.mga9 postfix-sdbm-3.8.4-1.mga9 lib64postfix1-3.8.4-1.mga9 postfix-3.8.4-1.mga9 from postfix-3.8.4-1.mga9.src.rpm
Assignee: smelror => qa-bugs
Source RPM: (none) => postfix-3.8.1-2.mga9CC: (none) => marja11
Advisory from comment 1 added to SVN. Also added 'CVE-2023-<still unknown>', because a CVE had been requested yesterday by Marcus Meissner and I expect this issue to get one, soon, after which the advisory in SVN can be updated. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Don't put CVE: - CVE-2023-<still unknown> in the svn advisory, those two lines should be removed. Just add a comment in the advisory itself that a cve is pending. Otherwise the malformed cve will mess up the generation of http://advisories.mageia.org/ when the advisory is pushed along with the package. Add the CVE: line and actual cve number when updating the advisory later. I don't think the malformed cve will stop the update from being pushed, bug given how strict the script is on other things, it wouldn't surprise me. Also don't forget the leading space in the cve number line, which is currently missing.
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #3) > Don't put > CVE: > - CVE-2023-<still unknown> > > in the svn advisory, those two lines should be removed. Just add a comment in > the advisory itself that a cve is pending. Done <snip> > > Also don't forget the leading space in the cve number line, which is > currently missing. papoteur has been studying yaml when he wrote mga-advisor and discovered that we were using leading spaces than we should according to the yaml documentation. So he left out the ones for the references and CVEs, and it works well. For instance, 32071.adv was processed fine.
s/leading/more leading/
From: https://www.postfix.org/smtp-smuggling.html Dec 24: someone (not at SEC Consult) created CVE-2023-51764. Unfortunately this contains many factual errors. Wietse has informed the person who requested the CVE. I have added it to the advisory in SVN though, because it'll surely be corrected.
CVE: (none) => CVE-2023-51764
Wietse complains any time someone requests a CVE for postfix because he likes to brag about how few CVEs it's had over the years.
(In reply to Marja Van Waes from comment #6) > From: https://www.postfix.org/smtp-smuggling.html According to this, the recommended settings: smtpd_forbid_bare_newline = yes smtpd_forbid_bare_newline_exclusions = $mynetworks are not the default in 3.8.4, so it will be fixed in 3.9 only ?
CC: (none) => geex+mageia
Nice presentation about this: https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide @Guilliaume: sure, we have to change the main.cf file. And maybe add some more information on update
CC: (none) => mageia
*** Bug 32677 has been marked as a duplicate of this bug. ***
Linux xxxx.xxxx.xxxx 6.5.13-desktop-6.mga9 #1 SMP PREEMPT_DYNAMIC Sun Dec 17 22:42:25 UTC 2023 x86_64 GNU/Linux Installed and configured existing postfix (along with procmail, fetchmail, and mutt for processing and viewing mail as I usually do and as my postfix config calls for). http://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/postfix-3.8.1-2.mga9.x86_64.rpm http://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64postfix1-3.8.1-2.mga9.x86_64.rpm installing postfix-3.8.1-2.mga9.x86_64.rpm lib64postfix1-3.8.1-2.mga9.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################################################################################################################################################### 1/2: lib64postfix1 ############################################################################################################################################################################### 2/2: postfix ############################################################################################################################################################################### Ran a few tests to ensure mail was sent and received/processed as intended. Manually updated to 3.8.4-1 from updates_testing. installing postfix-3.8.4-1.mga9.x86_64.rpm lib64postfix1-3.8.4-1.mga9.x86_64.rpm from . Preparing... ############################################################################################################################################################################### 1/2: lib64postfix1 ############################################################################################################################################################################### 2/2: postfix ############################################################################################################################################################################## warning: /etc/postfix/main.cf created as /etc/postfix/main.cf.rpmnew Re-ran all tests and found everything worked as it did prior to the update. My tests do not my any means use all the functions available with postfix but the things I do use all worked. The update is good AFAICS.
CC: (none) => mhrambo3501
Installed using QA repo. MGA x86_64. There are some warnings but I cannot judge whether they are important to consider. Pour satisfaire les dépendances, les paquetages suivants vont être installés : Paquetage Version Révision Arch (média « QA Testing (64-bit) ») lib64postfix1 3.8.4 1.mga9 x86_64 postfix 3.8.4 1.mga9 x86_64 un espace additionnel de 11Ko sera utilisé. 2.1Mo de paquets seront récupérés. Procéder à l'installation des 2 paquetages ? (O/n) installation de postfix-3.8.4-1.mga9.x86_64.rpm lib64postfix1-3.8.4-1.mga9.x86_64.rpm depuis //rpmbuild/qa-testing/x86_64 Préparation... ################################################################################### 1/2: lib64postfix1 ################################################################################### 2/2: postfix #################################################################################attention : /etc/postfix/main.cf created as /etc/postfix/main.cf.rpmnew ## postfix: Postfix is using backwards-compatible default settings postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details postfix: To disable backwards compatibility use "postconf compatibility_level=3.6" and "postfix reload" ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2' ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2.52' Reloading postfix configuration (via systemctl): Warning: The unit file, source configuration file or drop-ins of postfix.service changed on disk. Run 'systemctl daemon-reload' to reload units. [ OK ] ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2' ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2.52' Reloading postfix configuration (via systemctl): [ OK ] 1/2: désinstallation de postfix-1:3.8.1-2.mga9.x86_64 ################################################################################### 2/2: désinstallation de lib64postfix1-1:3.8.1-2.mga9.x86_64 ################################################################################### I have some addons on my main.cf to use a relayhost. I use smtp_tls_security_level = encrypt instead of smtp_tls_security_level = may as proposed by the rpmnew I removed also: #containment for CVE-2023-51764 # SMTP smuggling mitigation smtpd_data_restrictions = reject_unauth_pipelining smtpd_discard_ehlo_keywords = chunking service restarted test email sent and it worked I works as expected, for my use which is to get system email sent out, using a relayhost (external smtp provider). Hope it helps.
[dave@x3 advisories]$ cd [dave@x3 ~]$ rpm -q postfix postfix-3.8.4-1.mga9 [dave@x3 ~]$ systemctl status postfix.service ● postfix.service - LSB: Starts the postfix daemons Loaded: loaded (/etc/rc.d/init.d/postfix; generated) Drop-In: /etc/systemd/system/postfix.service.d └─override.conf Active: active (running) since Thu 2024-02-01 10:40:13 EST; 3 days ago Docs: man:systemd-sysv-generator(8) Process: 1583 ExecStart=/etc/rc.d/init.d/postfix start (code=exited, status=0/SUCCESS) Main PID: 2091 (master) Tasks: 3 (limit: 19085) Memory: 54.7M CPU: 3.847s CGroup: /system.slice/postfix.service ├─ 2091 /usr/libexec/postfix/master -w ├─ 2192 qmgr -l -t unix -u -c └─164352 pickup -l -t unix -u -c -o content_filter= -o receive_override_options= Feb 04 04:26:15 x3.hodgins.homeip.net postfix/pickup[150159]: 32E5D3C22FE: uid=0 from=<root> Feb 04 04:26:15 x3.hodgins.homeip.net postfix/cleanup[154133]: 32E5D3C22FE: message-id=<20240204092615.32E5D3C22FE@x3.hodgins.homeip.net> Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 32E5D3C22FE: from=<root@x3.hodgins.homeip.net>, size=8136, nrcpt=1 (queue active) Feb 04 04:26:15 x3.hodgins.homeip.net postfix/local[154139]: 32E5D3C22FE: to=<dave@x3.hodgins.homeip.net>, orig_to=<root>, relay=local, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to ma> Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 32E5D3C22FE: removed Feb 04 04:26:15 x3.hodgins.homeip.net postfix/pickup[150159]: 421883C22FE: uid=0 from=<root> Feb 04 04:26:15 x3.hodgins.homeip.net postfix/cleanup[154133]: 421883C22FE: message-id=<20240204092615.421883C22FE@x3.hodgins.homeip.net> Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 421883C22FE: from=<root@x3.hodgins.homeip.net>, size=151145, nrcpt=1 (queue active) Feb 04 04:26:15 x3.hodgins.homeip.net postfix/local[154139]: 421883C22FE: to=<dave@x3.hodgins.homeip.net>, orig_to=<root>, relay=local, delay=154, delays=154/0/0/0.01, dsn=2.0.0, status=sent (delivered to mail> Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 421883C22FE: removed Also tested on my rpi4b where it's working too. No regressions noticed. Validating the update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA9-64-OK
(In reply to Stig-Ørjan Smelror from comment #0) > The Postfix team have released version 3.8.4 to fix smtp smuggling. > > https://www.postfix.org/smtp-smuggling.html > https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails- > worldwide/ Installed today. Seems good here. ISP will not allow incoming mail....ofw Outbound via relay. For what I'm able to test, looks ok. Jim
CC: (none) => jim
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0029.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
I get some installation issues. after install I get the notice: ldd: warning: you do not have execution permission for `/var/spool/postfix/lib64/libcap.so.2' ldd: warning: you do not have execution permission for `/var/spool/postfix/usr/lib64/libcap.so.2.52' ldd: /usr/lib64/postfix/dict_pcre.so: No such file or directory I can't see we ship "dict_pcre.so". ls -la /var/spool/postfix/usr/lib64/libcap.so* -rw-r--r-- 1 root root 129184 Jun 22 2023 /var/spool/postfix/usr/lib64/libcap.so.2.52
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
(In reply to Marc Krämer from comment #16) > I get some installation issues. after install I get the notice: > > ldd: warning: you do not have execution permission for > `/var/spool/postfix/lib64/libcap.so.2' > ldd: warning: you do not have execution permission for > `/var/spool/postfix/usr/lib64/libcap.so.2.52' > ldd: /usr/lib64/postfix/dict_pcre.so: No such file or directory > > > I can't see we ship "dict_pcre.so". > > ls -la /var/spool/postfix/usr/lib64/libcap.so* > -rw-r--r-- 1 root root 129184 Jun 22 2023 > /var/spool/postfix/usr/lib64/libcap.so.2.52 Please open new bug against postfix-3.8.4-1.mga9.src.rpm
For the execution permission, I've seen it before without it stopping postfix from working properly. For pcrc, I've never seen it. See https://unix.stackexchange.com/questions/572243/postfix-pcre-maps-broken-in-rhel8-error-unsupported-dictionary-type-pcre If you need it for a specific configuration, the postfix-pcre package is available.
It sounds like the pcre issue is not a regression of postfix and the update is working like it did before. If that issue should still be addressed, please open a new bug, but I'm closing this one that has to do with the update.
CC: (none) => danResolution: (none) => FIXEDStatus: REOPENED => RESOLVED
Blocks: (none) => 32832