Subject
Something else that requires developers attention
Description
A vulnerability affecting several mail server implementations, including postfix, has been disclosed recently.
See the related postfix documentation page for more details: https://www.postfix.org/smtp-smuggling.html
While a short-term workaround exists, it is only partial:
NOTE: This will stop only the published form of the attack. Other forms exist that will not be stopped in this manner.
Postfix should be updated to a version in which the vulnerability is fixed (3.8.4, 3.7.9, 3.6.13 or 3.5.23) and the new optional feature smtpd_forbid_bare_newline be set to yes. The feature will be enabled by default for postfix >= 3.9.
If the smtpd_forbid_bare_newline feature cannot be enabled for backward-compatibility reasons, you could release a patch version of DMS with one of the patched postfix versions and let users decide whether they want to enable the feature via their local configuration.
Subject
Something else that requires developers attention
Description
A vulnerability affecting several mail server implementations, including postfix, has been disclosed recently.
See the related postfix documentation page for more details: https://www.postfix.org/smtp-smuggling.html
While a short-term workaround exists, it is only partial:
Postfix should be updated to a version in which the vulnerability is fixed (3.8.4, 3.7.9, 3.6.13 or 3.5.23) and the new optional feature
smtpd_forbid_bare_newlinebe set toyes. The feature will be enabled by default for postfix >= 3.9.If the
smtpd_forbid_bare_newlinefeature cannot be enabled for backward-compatibility reasons, you could release a patch version of DMS with one of the patched postfix versions and let users decide whether they want to enable the feature via their local configuration.