New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: postfix SMTP smuggling #3719
Comments
Current state of DMS' Postfix packaging (see https://packages.debian.org/de/postfix):
Due to the way we organize releases, we cannot (or rather, it'd be immensely complicated to) backport such fixes. I do not know how we could provide users of DMS with versions <v14.0.0 with fixes. |
Small note: @becker-s thank you very much for reporting this! :) Next time, please use the dedicated security vulnerability reporting feature that we have enabled (https://github.com/docker-mailserver/docker-mailserver/security/advisories/new). |
Sure thing! I seem to have missed the "Affected products" section when checking the security vulnerability issue type this morning, leading me to think that that type of issue is only meant for direct vulnerabilities rather than vulnerabilities in dependencies. |
According to the tracker page for the postfix Debian packages, only the version in unstable (3.8.4) has been released recently and contains the long-term fix. I assume that the Debian package maintainers will release the fixed version for Debian 12 (Bookworm) and then afterwards follow-up with a backport for Debian 11 (Buster) within the next days. Unfortunately, the security researchers that discovered the vulnerability seem not to have included the postfix maintainers in their responsive disclosure process where proprietary mailing providers were informed. As such, both the postfix maintainers and the Debian package maintainers did not have to time to prepare and test versions where the vulnerability has been fixed. EDIT: See the respective Debian security tracker entry for the status of the vulnerability in different Debian versions: https://security-tracker.debian.org/tracker/CVE-2023-51764 |
Quick summary:
For now,
I could imagine, Debian will release postfix updates for Debian 11/12 shortly. |
That's how I see it too. If the vulnerability is already public knowledge, I don't see any issue with opening an issue here. At best you'd be minimizing awareness? 🤷♂️ I'd expect any capable malicious actor would have no issue finding the same public disclosure.
Technically the scheduled build workflow could be adapted with manual dispatch with tag as an input. I think that would allow for building from the git tagged commit and publishing that tag to DockerHub and GHCR. That should build with the package install process updating to the latest packages available, since we don't introduce any actual change beyond that it should only be packages with updated point releases (bug / security fixes). ClamAV database would be updated too. Probably need to build without any cache used, which I don't think we presently support 🤔 |
fyi: There will be a talk at 37C3 about SMTP smuggling. |
Could you please give me an info how to properly insert the short term fix into postfix
into the |
You need https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/override-defaults/postfix/ and add the lines there. |
Really thanks for that hint. Okay if i see this correct |
|
|
Just for reference, since this issue was opened the Postfix announcement link has since updated it's content, and includes a new "all versions" fix:
Previously neither the short-term or long-term fixes were viable for DMS as the short-term fix |
For those of us coming here after the talk at 37c3, is the correct procedure to 'fix' this problem to:
then pasting the lines:
(btw the documenation update instructions incorrectly say 'docker compose' instead of 'docker-compose') It would be nice to get a followup comment from someone else here confirming this is the accepted procedure for patching this bug. |
Please don't! (see https://docker-mailserver.github.io/docker-mailserver/latest/config/debugging/#preliminary-checks)
The docs are correct; you seem to be using an older version of Docker Compose. The latest versions are a plugin to the
CC @polarathene | What do we do with |
This was provided via PR review feedback.
|
Debians Bullseye Updated Repo has been updated to Postfix 3.5.23 which should contain the longterm fix. |
I will trigger a build so |
I will re-open; because we should update when merged Debian 12 (right?). |
Do we have an actual blocker related to that reason? I think we resolved this with the v13.2 release right? (which you released a day after the above comment) docker-mailserver/CHANGELOG.md Lines 45 to 51 in 2bf5234
|
I thought there was a change we could only implement with Debian 12; but I guess I was wrong. I'll close this then. |
The newer Bullseye Postfix patch release backported the long-term fix IIRC. |
Subject
Something else that requires developers attention
Description
A vulnerability affecting several mail server implementations, including postfix, has been disclosed recently.
See the related postfix documentation page for more details: https://www.postfix.org/smtp-smuggling.html
While a short-term workaround exists, it is only partial:
Postfix should be updated to a version in which the vulnerability is fixed (3.8.4, 3.7.9, 3.6.13 or 3.5.23) and the new optional feature
smtpd_forbid_bare_newline
be set toyes
. The feature will be enabled by default for postfix >= 3.9.If the
smtpd_forbid_bare_newline
feature cannot be enabled for backward-compatibility reasons, you could release a patch version of DMS with one of the patched postfix versions and let users decide whether they want to enable the feature via their local configuration.The text was updated successfully, but these errors were encountered: