Situation
Vulnerability CVE-2023-51764 affecting Postfix has been discovered.
Impact
-
The authenticated attacker can use the "smuggled" SMTP MAIL/RCPT/DATA commands and header plus body text, to spoof an email message from any MAIL FROM address whose domain is also hosted at email service A, to any RCPT TO address whose domain is also hosted at email service B.
-
The spoofed email message will pass SPF-based DMARC checks at email service B, because the spoofed message has a MAIL FROM address whose domain is hosted at email service A, and because the message was received from an IP address for email service A.
Call to action
Update Plesk to the latest version.
If update is not possible at the moment, apply the workaround:
The idea is to reject unauthorized SMTP command pipelining (one network packet contains multiple lines with smuggled SMTP commands and message content), and to reject BDAT commands. That will stop many forms of the published attack (BDAT is part of the CHUNKING extension; it allows command pipelining that isn't allowed with the DATA command).
NOTE: this will block misuse of SMTP command pipelining. It will not block message pipelining (multiple MAIL transactions per session), nor will it block a malformed end of line. Malformed line endings are addressed with the long-term solution.
-
Connect to the server via SSH.
-
Check Postfix version - first line of the output:
# postconf -d | grep mail_version
-
Modify Postfix configuration:
- for Postfix 3.9.x, 3.8.4, 3.7.9, 3.6.13 and 3.5.23 or later, add following line to
/etc/postfix/main.cf
:smtpd_forbid_bare_newline = yes
- for Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 or later, add following lines to
/etc/postfix/main.cf
:smtpd_forbid_unauth_pipelining = yes
smtpd_discard_ehlo_keywords = chunking, silent-discard - Otherwise, add:
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking, silent-discard
- for Postfix 3.9.x, 3.8.4, 3.7.9, 3.6.13 and 3.5.23 or later, add following line to
For example: if you have Postfix version 3.8.5 you need to apply the first option (because 3.8.5 >= 3.8.4). If you have Postfix version 3.6.11, use option 2 (because 3.6.11 is less than 3.6.13, but greater than 3.6.10). Please note, that options two and three can break some legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare.
The below Postfix versions are not yet available for Plesk supported OSes
A long-term fix is now available for Postfix 3.8.4, 3.7.9, 3.6.13 and 3.5.23. This stops all forms of the smuggling attacks on recipients at a Postfix server. It introduces a new optional feature that is disabled by default.
With "smtpd_forbid_bare_newline = yes", the Postfix SMTP server disconnects a remote SMTP client that sends a line ending in a 'bare newline'. The default setting is "no".
Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure.
The recommended settings are:
main.cf: # Optionally disconnect remote SMTP clients that send bare newlines, # but allow local clients with non-standard SMTP implementations # such as netcat, fax machines, or load balancer health checks. # smtpd_forbid_bare_newline = yes smtpd_forbid_bare_newline_exclusions = $mynetworks
Comments
0 comments
Please sign in to leave a comment.