From fa72e015ee642bef1b1533378c6d67cc1d732bff Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 23 Mar 2024 12:59:39 -0400 Subject: [PATCH 1/2] Update SMTP Smuggling protection to the 'long-term fix' * Revert "Guard against SMTP smuggling", commit faf23f150c5fa85c8e9af1e345d796d2c36a4577, by restoring the setting to its default. * Revert "[security] SMTP smuggling: update short term fix (#2346)", commmit e931e103fe1d6db81681e3c9732d21e9860acdcd, by restoring the setting to its default. * Set smtpd_forbid_bare_newline=normalize. --- setup/mail-postfix.sh | 12 +++++++++--- tools/editconf.py | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index eab152fb..24969513 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -70,10 +70,16 @@ tools/editconf.py /etc/postfix/main.cf \ bounce_queue_lifetime=1d # Guard against SMTP smuggling -# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html +# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html. +# This beecame supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is +# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds +# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords +# was never included in a released version of Mail-in-a-Box). +tools/editconf.py /etc/postfix/main.cf -e \ + smtpd_data_restrictions= \ + smtpd_discard_ehlo_keywords= tools/editconf.py /etc/postfix/main.cf \ - smtpd_data_restrictions=reject_unauth_pipelining \ - smtpd_discard_ehlo_keywords="chunking, silent-discard" + smtpd_forbid_bare_newline=normalize # ### Outgoing Mail diff --git a/tools/editconf.py b/tools/editconf.py index 0438695b..db19e5f1 100755 --- a/tools/editconf.py +++ b/tools/editconf.py @@ -30,7 +30,7 @@ import sys, re # sanity check if len(sys.argv) < 3: - print("usage: python3 editconf.py /etc/file.conf [-s] [-w] [-c ] [-t] NAME=VAL [NAME=VAL ...]") + print("usage: python3 editconf.py /etc/file.conf [-e] [-s] [-w] [-c ] [-t] NAME=VAL [NAME=VAL ...]") sys.exit(1) # parse command line arguments From 14d0e20eabe93a390b4f7f842696f5bf32bc2f53 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 23 Mar 2024 13:18:14 -0400 Subject: [PATCH 2/2] CHANGELOG entries --- CHANGELOG.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c855c214..0bebc800 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,31 @@ CHANGELOG ========= +In Development +-------------- + +Package updates: + +* Roundcube updated to version 1.6.6. +* Nextcloud is updated to version 22.0.12. + +Mail: + +* Updated postfix's configuration to guard against SMTP smuggling to the long-term fix (https://www.postfix.org/smtp-smuggling.html). + +Control Panel: + +* Improved reporting of Spamhaus response codes. +* Improved detection of SSH port. +* Fixed an error if last saved status check results were corrupted. +* Other minor fixes. + +Other: + +* fail2ban is updated to see "HTTP/2.0" requests to munin also. +* Internal improvements to the code to make it more reliable and readable. + + Version 67 (December 22, 2023) ------------------------------