Advisory
========

Postfix has been updated to fix smtp smuggling, an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.

References
==========

https://www.postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

Files
=====

Uploaded to core/updates_testing

postfix-ldap-3.8.4-1.mga9
postfix-pgsql-3.8.4-1.mga9
postfix-cdb-3.8.4-1.mga9
postfix-sqlite-3.8.4-1.mga9
postfix-pcre-3.8.4-1.mga9
postfix-mysql-3.8.4-1.mga9
postfix-sdbm-3.8.4-1.mga9
lib64postfix1-3.8.4-1.mga9
postfix-3.8.4-1.mga9

from postfix-3.8.4-1.mga9.src.rpm

Assignee: smelror => qa-bugs

Advisory from comment 1 added to SVN. Also added 'CVE-2023-<still unknown>', because a CVE had been requested yesterday by Marcus Meissner and I expect this issue to get one, soon, after which the advisory in SVN can be updated.

Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Don't put
CVE:
- CVE-2023-<still unknown>

in the svn advisory, those two lines should be removed. Just add a comment in
the advisory itself that a cve is pending.

Otherwise the malformed cve will mess up the generation of
http://advisories.mageia.org/
when the advisory is pushed along with the package.

Add the CVE: line and actual cve number when updating the advisory later.

I don't think the malformed cve will stop the update from being pushed, bug
given how strict the script is on other things, it wouldn't surprise me.

Also don't forget the leading space in the cve number line, which is currently
missing.

CC: (none) => davidwhodgins

From: https://www.postfix.org/smtp-smuggling.html

Dec 24: someone (not at SEC Consult) created CVE-2023-51764. Unfortunately this contains many factual errors. Wietse has informed the person who requested the CVE. 

I have added it to the advisory in SVN though, because it'll surely be corrected.

CVE: (none) => CVE-2023-51764

Wietse complains any time someone requests a CVE for postfix because he likes to brag about how few CVEs it's had over the years.

(In reply to Marja Van Waes from comment #6)
> From: https://www.postfix.org/smtp-smuggling.html

According to this, the recommended settings:
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks

are not the default in 3.8.4, so it will be fixed in 3.9 only ?

CC: (none) => geex+mageia

Nice presentation about this:
https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide

@Guilliaume: sure, we have to change the main.cf file. And maybe add some more information on update

CC: (none) => mageia

*** Bug 32677 has been marked as a duplicate of this bug. ***

Linux xxxx.xxxx.xxxx 6.5.13-desktop-6.mga9 #1 SMP PREEMPT_DYNAMIC Sun Dec 17 22:42:25 UTC 2023 x86_64 GNU/Linux

Installed and configured existing postfix (along with procmail, fetchmail, and mutt for processing and viewing mail as I usually do and as my postfix config calls for).

    http://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/postfix-3.8.1-2.mga9.x86_64.rpm
    http://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64postfix1-3.8.1-2.mga9.x86_64.rpm                                                                                        
installing postfix-3.8.1-2.mga9.x86_64.rpm lib64postfix1-3.8.1-2.mga9.x86_64.rpm from /var/cache/urpmi/rpms                                                                                                      
Preparing...                     ###############################################################################################################################################################################
      1/2: lib64postfix1         ###############################################################################################################################################################################
      2/2: postfix               ###############################################################################################################################################################################

Ran a few tests to ensure mail was sent and received/processed as intended.

Manually updated to 3.8.4-1 from updates_testing.

installing postfix-3.8.4-1.mga9.x86_64.rpm lib64postfix1-3.8.4-1.mga9.x86_64.rpm from .
Preparing...                     ###############################################################################################################################################################################
      1/2: lib64postfix1         ###############################################################################################################################################################################
      2/2: postfix               ##############################################################################################################################################################################
warning: /etc/postfix/main.cf created as /etc/postfix/main.cf.rpmnew

Re-ran all tests and found everything worked as it did prior to the update. My tests do not my any means use all the functions available with postfix but the things I do use all worked.

The update is good AFAICS.

CC: (none) => mhrambo3501

Installed using QA repo. MGA x86_64. There are some warnings but I cannot judge whether they are important to consider.

Pour satisfaire les dépendances, les paquetages suivants vont être installés :
  Paquetage                      Version      Révision      Arch    
(média « QA Testing (64-bit) »)
  lib64postfix1                  3.8.4        1.mga9        x86_64  
  postfix                        3.8.4        1.mga9        x86_64  
un espace additionnel de 11Ko sera utilisé.
2.1Mo de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n) 


installation de postfix-3.8.4-1.mga9.x86_64.rpm lib64postfix1-3.8.4-1.mga9.x86_64.rpm depuis //rpmbuild/qa-testing/x86_64
Préparation...                   ###################################################################################
      1/2: lib64postfix1         ###################################################################################
      2/2: postfix               #################################################################################attention : /etc/postfix/main.cf created as /etc/postfix/main.cf.rpmnew
##
postfix: Postfix is using backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=3.6" and "postfix reload"
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2'
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2.52'
Reloading postfix configuration (via systemctl):  Warning: The unit file, source configuration file or drop-ins of postfix.service changed on disk. Run 'systemctl daemon-reload' to reload units.
[  OK  ]
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2'
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2.52'
Reloading postfix configuration (via systemctl):  [  OK  ]
      1/2: désinstallation de postfix-1:3.8.1-2.mga9.x86_64
                                 ###################################################################################
      2/2: désinstallation de lib64postfix1-1:3.8.1-2.mga9.x86_64
                                 ###################################################################################



I have some addons on my main.cf to use a relayhost.
I use smtp_tls_security_level = encrypt
instead of smtp_tls_security_level = may
as proposed by the rpmnew

I removed also:
#containment for CVE-2023-51764
# SMTP smuggling mitigation
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking

service restarted
test email sent and it worked

I works as expected, for my use which is to get system email sent out, using a relayhost (external smtp provider).

Hope it helps.

[dave@x3 advisories]$ cd
[dave@x3 ~]$ rpm -q postfix
postfix-3.8.4-1.mga9
[dave@x3 ~]$ systemctl status postfix.service
● postfix.service - LSB: Starts the postfix daemons
     Loaded: loaded (/etc/rc.d/init.d/postfix; generated)
    Drop-In: /etc/systemd/system/postfix.service.d
             └─override.conf
     Active: active (running) since Thu 2024-02-01 10:40:13 EST; 3 days ago
       Docs: man:systemd-sysv-generator(8)
    Process: 1583 ExecStart=/etc/rc.d/init.d/postfix start (code=exited, status=0/SUCCESS)
   Main PID: 2091 (master)
      Tasks: 3 (limit: 19085)
     Memory: 54.7M
        CPU: 3.847s
     CGroup: /system.slice/postfix.service
             ├─  2091 /usr/libexec/postfix/master -w
             ├─  2192 qmgr -l -t unix -u -c
             └─164352 pickup -l -t unix -u -c -o content_filter= -o receive_override_options=

Feb 04 04:26:15 x3.hodgins.homeip.net postfix/pickup[150159]: 32E5D3C22FE: uid=0 from=<root>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/cleanup[154133]: 32E5D3C22FE: message-id=<20240204092615.32E5D3C22FE@x3.hodgins.homeip.net>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 32E5D3C22FE: from=<root@x3.hodgins.homeip.net>, size=8136, nrcpt=1 (queue active)
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/local[154139]: 32E5D3C22FE: to=<dave@x3.hodgins.homeip.net>, orig_to=<root>, relay=local, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to ma>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 32E5D3C22FE: removed
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/pickup[150159]: 421883C22FE: uid=0 from=<root>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/cleanup[154133]: 421883C22FE: message-id=<20240204092615.421883C22FE@x3.hodgins.homeip.net>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 421883C22FE: from=<root@x3.hodgins.homeip.net>, size=151145, nrcpt=1 (queue active)
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/local[154139]: 421883C22FE: to=<dave@x3.hodgins.homeip.net>, orig_to=<root>, relay=local, delay=154, delays=154/0/0/0.01, dsn=2.0.0, status=sent (delivered to mail>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 421883C22FE: removed

Also tested on my rpi4b where it's working too.

No regressions noticed. Validating the update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK

(In reply to Stig-Ørjan Smelror from comment #0)
> The Postfix team have released version 3.8.4 to fix smtp smuggling.
> 
> https://www.postfix.org/smtp-smuggling.html
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-
> worldwide/

Installed today. Seems good here.

ISP will not allow incoming mail....ofw

Outbound via relay.
For what I'm able to test, looks ok.

Jim

CC: (none) => jim

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0029.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

I get some installation issues. after install I get the notice:

ldd: warning: you do not have execution permission for `/var/spool/postfix/lib64/libcap.so.2'
ldd: warning: you do not have execution permission for `/var/spool/postfix/usr/lib64/libcap.so.2.52'
ldd: /usr/lib64/postfix/dict_pcre.so: No such file or directory


I can't see we ship "dict_pcre.so".

ls -la /var/spool/postfix/usr/lib64/libcap.so*
-rw-r--r-- 1 root root 129184 Jun 22  2023 /var/spool/postfix/usr/lib64/libcap.so.2.52

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

(In reply to Marc Krämer from comment #16)
> I get some installation issues. after install I get the notice:
> 
> ldd: warning: you do not have execution permission for
> `/var/spool/postfix/lib64/libcap.so.2'
> ldd: warning: you do not have execution permission for
> `/var/spool/postfix/usr/lib64/libcap.so.2.52'
> ldd: /usr/lib64/postfix/dict_pcre.so: No such file or directory
> 
> 
> I can't see we ship "dict_pcre.so".
> 
> ls -la /var/spool/postfix/usr/lib64/libcap.so*
> -rw-r--r-- 1 root root 129184 Jun 22  2023
> /var/spool/postfix/usr/lib64/libcap.so.2.52

Please open new bug against
postfix-3.8.4-1.mga9.src.rpm

For the execution permission, I've seen it before without it stopping postfix
from working properly.

For pcrc, I've never seen it.
See https://unix.stackexchange.com/questions/572243/postfix-pcre-maps-broken-in-rhel8-error-unsupported-dictionary-type-pcre

If you need it for a specific configuration, the postfix-pcre package is
available.

It sounds like the pcre issue is not a regression of postfix and the update is working like it did before. If that issue should still be addressed, please open a new bug, but I'm closing this one that has to do with the update.

CC: (none) => dan
Resolution: (none) => FIXED
Status: REOPENED => RESOLVED