Zimbra and SMTP Smuggling attack on Postfix

[Barry de Graaff]

From:

https://blog.zimbra.com/2023/12/zimbra-and-smtp-smuggling-attack-on-postfix/


Recently an SMTP Smuggling attack on Postfix 
<https://www.postfix.org/smtp-smuggling.html> was published, as 
mentioned by the Postfix project:

/Days before a 10+ day holiday break and associated production change 
freeze, SEC Consult has published an email spoofing attack that involves 
a composition of email services with specific differences in the way 
they handle line endings other than <CR><LF>./

/Unfortunately, criticial information provided by the researcher was not 
passed on to Postfix maintainers before publication of the attack, 
otherwise we would certainly have convinced SEC Consult to postpone 
publication until after people had a chance to update their Postfix or 
other affected systems./

/The net result: a presumably unintended zero-day attack was published 
because some people weren’t aware of the scope of the attack./

At this time it means an upstream fix by Postfix is needed to fully fix 
the security issue.

Zimbra will create a patch with updated configuration files and an 
updated version of Postfix as soon as possible, meanwhile we recommend 
to add:

smtpd_discard_ehlo_keywords=chunking

To the bottom of all the following files:

/opt/zimbra/common/conf/main.cf
/opt/zimbra/common/conf/main.cf.default
/opt/zimbra/common/conf/main.cf.proto

And then as the OS user /zimbra/ restart the MTA:

zmmtactl restart

The following line should already be set in the configuration files, but 
be sure to check if it is indeed present on your installation:

smtpd_data_restrictions = reject_unauth_pipelining
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20231228/11073331/attachment.html>