Merge c585192dd7 into 7646095b94

This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html:

    smtpd_data_restrictions=reject_unauth_pipelining

CHANGELOG.md

@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+Version 67 (December 22, 2023)
+------------------------------
+
+* Guard against a newly published vulnerability called SMTP Smuggling. See https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/.
+
 Version 66 (December 17, 2023)
 ------------------------------
 

README.md

@@ -60,7 +60,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele
 
 	$ git clone https://github.com/mail-in-a-box/mailinabox
 	$ cd mailinabox
-	$ git checkout v66
+	$ git checkout v67
 
 Begin the installation.
 

setup/bootstrap.sh

@@ -23,7 +23,7 @@ if [ -z "$TAG" ]; then
 	if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then
 		# This machine is running Ubuntu 22.04, which is supported by
 		# Mail-in-a-Box versions 60 and later.
-		TAG=v66
+		TAG=v67
 	elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04, which is supported by
 		# Mail-in-a-Box versions 0.40 through 5x.

setup/mail-postfix.sh

@@ -69,6 +69,11 @@ tools/editconf.py /etc/postfix/main.cf \
 	maximal_queue_lifetime=2d \
 	bounce_queue_lifetime=1d
 
+# Guard against SMTP smuggling
+# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html
+tools/editconf.py /etc/postfix/main.cf \
+	smtpd_data_restrictions=reject_unauth_pipelining
+
 # ### Outgoing Mail
 
 # Enable the 'submission' ports 465 and 587 and tweak their settings.
@@ -290,6 +295,81 @@ chmod +x /etc/cron.daily/mailinabox-postgrey-whitelist
 tools/editconf.py /etc/postfix/main.cf \
 	message_size_limit=134217728
 
+# install the postfix MTA-STS resolver.  the MTA-STS resolver service is
+# used by Postfix to ensure outgoing mail uses TLS when the recipient
+# announces MTA-STS.
+hide_output /usr/bin/pip3 install --upgrade postfix-mta-sts-resolver aiosqlite
+
+# add a user to use solely for MTA-STS resolution
+id -u mta-sts &>/dev/null || useradd -c "Daemon for MTA-STS policy checks" mta-sts -s /usr/sbin/nologin
+
+# create systemd services for MTA-STS
+cat > /etc/systemd/system/postfix-mta-sts-daemon@.service << EOF
+[Unit]
+Description=Postfix MTA STS daemon instance
+After=syslog.target network.target
+
+[Service]
+Type=notify
+User=mta-sts
+Group=mta-sts
+ExecStart=/usr/local/bin/mta-sts-daemon
+Restart=always
+KillMode=process
+TimeoutStartSec=10
+TimeoutStopSec=30
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/postfix-mta-sts.service << EOF
+[Unit]
+Description=Postfix MTA STS daemon
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/systemctl start postfix-mta-sts-daemon@main.service
+ExecReload=/bin/systemctl start postfix-mta-sts-daemon@backup.service ; /bin/systemctl restart postfix-mta-sts-daemon@main.service ; /bin/systemctl stop postfix-mta-sts-daemon@backup.service
+ExecStop=/bin/systemctl stop postfix-mta-sts-daemon@main.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# create the cache directory for the MTA-STS daemon
+mkdir -p $STORAGE_ROOT/mta-sts
+chown -R mta-sts:mta-sts $STORAGE_ROOT/mta-sts
+
+# configure the MTA-STS daemon for postfix
+cat > /etc/mta-sts-daemon.yml << EOF
+host: 127.0.0.1
+port: 8461
+reuse_port: true
+shutdown_timeout: 20
+cache:
+  type: sqlite
+  options:
+    filename: "$STORAGE_ROOT/mta-sts/mta-sts-cache.db"
+default_zone:
+  strict_testing: false
+  timeout: 4
+zones:
+  myzone:
+    strict_testing: false
+    timeout: 4
+EOF
+
+# add postfix configuration
+tools/editconf.py /etc/postfix/main.cf \
+	smtp_tls_policy_maps=socketmap:inet:127.0.0.1:8461:postfix
+
+# enable and start the MTA-STS service
+hide_output /bin/systemctl enable postfix-mta-sts.service
+restart_service postfix-mta-sts
+
 # Allow the two SMTP ports in the firewall.
 
 ufw_allow smtp