Update SMTP Smuggling protection to the 'long-term fix'

* Revert "Guard against SMTP smuggling", commit faf23f150c, by restoring the setting to its default.
* Revert "[security] SMTP smuggling: update short term fix (#2346)", commmit e931e103fe, by restoring the setting to its default.
* Set smtpd_forbid_bare_newline=normalize.
This commit is contained in:
Joshua Tauberer 2024-03-23 12:59:39 -04:00
parent 1a239c55bb
commit fa72e015ee
2 changed files with 10 additions and 4 deletions

View File

@ -70,10 +70,16 @@ tools/editconf.py /etc/postfix/main.cf \
bounce_queue_lifetime=1d
# Guard against SMTP smuggling
# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html
# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html.
# This beecame supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is
# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds
# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords
# was never included in a released version of Mail-in-a-Box).
tools/editconf.py /etc/postfix/main.cf -e \
smtpd_data_restrictions= \
smtpd_discard_ehlo_keywords=
tools/editconf.py /etc/postfix/main.cf \
smtpd_data_restrictions=reject_unauth_pipelining \
smtpd_discard_ehlo_keywords="chunking, silent-discard"
smtpd_forbid_bare_newline=normalize
# ### Outgoing Mail

View File

@ -30,7 +30,7 @@ import sys, re
# sanity check
if len(sys.argv) < 3:
print("usage: python3 editconf.py /etc/file.conf [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
print("usage: python3 editconf.py /etc/file.conf [-e] [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
sys.exit(1)
# parse command line arguments