New Postfix settings to combat CVE-2023-51764 aren't accepted on Ubuntu 20.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Ubuntu) |
Fix Released
|
Undecided
|
Allen Huang |
Bug Description
The USN-6591-1 for CVE-2023-51764 says:
Please note that certain configuration changes are required to address
this issue. They are not enabled by default for backward compatibility.
Information can be found athttps:
and
After a standard system update you need to enable
smtpd_forbid_
all the necessary changes.
I upgraded on Ubuntu 20.04 from 3.4.13-0ubuntu1.2 to 3.4.13-0ubuntu1.3, and made those changes to add these two lines:
smtpd_forbid_
smtpd_forbid_
After I restarted postfix, I get this in the logs:
Jan 22 21:06:39 xxxxx postfix/
Jan 22 21:06:40 xxxxx postfix/
Jan 22 21:06:40 xxxxx postfix/
root@xxxxx:
postfix:
Installed: 3.4.13-0ubuntu1.3
Candidate: 3.4.13-0ubuntu1.3
Version table:
*** 3.4.13-0ubuntu1.3 500
500 http://
500 http://
100 /var/lib/
3.
500 http://
summary: |
- New Postfix settings to combat CVE-2023-51764 aren't accepted + New Postfix settings to combat CVE-2023-51764 aren't accepted on Ubuntu + 20.04 |
The upstream docs at https:/ /www.postfix. org/smtp- smuggling. html also say:
'An older long-term fix recommended using "smtpd_ forbid_ bare_newline = yes". Use that if you have Postfix 3.8.4, 3.7.9, 3.6.13 or 3.5.23. That setting still protects later Postfix versions against SMTP smuggling.'
Using the value 'yes' seems to work on Ubuntu 20.04 3.4.13-0ubuntu1.3 .
I am not clear on upstream's wording as to whether 'yes' is as sufficient a fix as 'normalize' on 3.4, but since they later say 'The older setting "smtpd_ forbid_ bare_newline = yes" is now an alias for "smtpd_ forbid_ bare_newline = normalize".' (on newer versions of Postfix), I assume so.
In other words, it sounds like on Postfix 3.4 (used on Ubuntu 20.04), perhaps the fix from upstream only includes the use of the term 'yes' as fix, not 'normalize'.