Description

• Add smtpd_data_restrictions = reject_unauth_pipelining to main.cf. Include context via comment? (eg: "# Reject clients that speak to Postfix too early (don't wait their turn).")
• Keep the equivalent in postfix-amavis.cf for visibility as explicit config required by Amavis.
• Remove reject_unauth_pipelining from earlier restrictions (smtpd_client_restrictions, smtpd_recipient_restrictions).

This change was originally bundled with an tracking issue for adding swaks (since that is required for tests to support the change). That got resolved much earlier than expected, so I've extracted this out to it's own separate issue.

This change isn't too important, as it was originally motivated to support a short-term fix for the SMTP Smuggling attack that is no longer necessary.

smtpd_data_restrictions = reject_unauth_pipelining will defer rejection to a later stage (assuming a permit rule didn't skip restrictions prior), where any detected pipelining in the exchange would trigger the restriction, not just within the DATA SMTP command.