Update SMTP Smuggling protection to the 'long-term fix'

* Revert "Guard against SMTP smuggling", commit faf23f150c, by restoring the setting to its default. * Revert "[security] SMTP smuggling: update short term fix (#2346)", commmit e931e103fe, by restoring the setting to its default. * Set smtpd_forbid_bare_newline=normalize.
2026-03-07 16:17:23 +01:00 · 2024-03-23 12:59:39 -04:00
parent 1a239c55bb
commit fa72e015ee
2 changed files with 10 additions and 4 deletions
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -70,10 +70,16 @@ tools/editconf.py /etc/postfix/main.cf \
 	bounce_queue_lifetime=1d

 # Guard against SMTP smuggling
-# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html
+# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html.
+# This beecame supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is
+# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds
+# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords
+# was never included in a released version of Mail-in-a-Box).
+tools/editconf.py /etc/postfix/main.cf -e \
+       smtpd_data_restrictions= \
+       smtpd_discard_ehlo_keywords=
 tools/editconf.py /etc/postfix/main.cf \
-	smtpd_data_restrictions=reject_unauth_pipelining \
-	smtpd_discard_ehlo_keywords="chunking, silent-discard"
+       smtpd_forbid_bare_newline=normalize

 # ### Outgoing Mail