Ubuntu
postfix package

New Postfix settings to combat CVE-2023-51764 aren't accepted on Ubuntu 20.04

Bug #2050834 reported by mig5
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Fix Released
Undecided
Allen Huang

Bug Description

The USN-6591-1 for CVE-2023-51764 says:

Please note that certain configuration changes are required to address
this issue. They are not enabled by default for backward compatibility.
Information can be found athttps://www.postfix.org/smtp-smuggling.html.

and

After a standard system update you need to enable
smtpd_forbid_bare_newline in your configuration and reload it to make
all the necessary changes.

I upgraded on Ubuntu 20.04 from 3.4.13-0ubuntu1.2 to 3.4.13-0ubuntu1.3, and made those changes to add these two lines:

smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks

After I restarted postfix, I get this in the logs:

Jan 22 21:06:39 xxxxx postfix/smtpd[3898883]: fatal: bad boolean configuration: smtpd_forbid_bare_newline = normalize
Jan 22 21:06:40 xxxxx postfix/master[3898007]: warning: process /usr/lib/postfix/sbin/smtpd pid 3898883 exit status 1
Jan 22 21:06:40 xxxxx postfix/master[3898007]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

root@xxxxx:/home/miguel# apt-cache policy postfix
postfix:
  Installed: 3.4.13-0ubuntu1.3
  Candidate: 3.4.13-0ubuntu1.3
  Version table:
 *** 3.4.13-0ubuntu1.3 500
        500 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.4.10-1ubuntu1 500
        500 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu focal/main amd64 Packages

mig5 (mig5)
summary: - New Postfix settings to combat CVE-2023-51764 aren't accepted
+ New Postfix settings to combat CVE-2023-51764 aren't accepted on Ubuntu
+ 20.04
Revision history for this message
mig5 (mig5) wrote (last edit ):

The upstream docs at https://www.postfix.org/smtp-smuggling.html also say:

'An older long-term fix recommended using "smtpd_forbid_bare_newline = yes". Use that if you have Postfix 3.8.4, 3.7.9, 3.6.13 or 3.5.23. That setting still protects later Postfix versions against SMTP smuggling.'

Using the value 'yes' seems to work on Ubuntu 20.04 3.4.13-0ubuntu1.3 .

I am not clear on upstream's wording as to whether 'yes' is as sufficient a fix as 'normalize' on 3.4, but since they later say 'The older setting "smtpd_forbid_bare_newline = yes" is now an alias for "smtpd_forbid_bare_newline = normalize".' (on newer versions of Postfix), I assume so.

In other words, it sounds like on Postfix 3.4 (used on Ubuntu 20.04), perhaps the fix from upstream only includes the use of the term 'yes' as fix, not 'normalize'.

Revision history for this message
Simon Déziel (sdeziel) wrote :

@mjg5, what landed so far in Ubuntu is the first cut at the smtpd_forbid_bare_newline feature meaning the normalize bit is not supported. What was backported is what made it into 3.8.4 while the normalize bit went in 3.8.5.

On IRC (#ubuntu-security), the security team said they'd be looking into this.

Revision history for this message
Steinar Kaarø (mrstk) wrote :

The 3.4.13-0ubuntu1.3 update seems to be based on a backport of postfix-3.6.13
On January 22 an updated fix was released as postfix-3.6.14. A patch for the unsupported postfix-3.4 version was also released:
http://ftp.porcupine.org/mirrors/postfix-release/index.html

According to a postfix announcement made on January 17 there are some issues with the initial fix for the smuggling:

To: Postfix announce <email address hidden>
Date: Wed, 17 Jan 2024 15:16:34 -0500 (EST)
Subject: [pfx-ann] SMTP smuggling update next week
From: Wietse Venema via Postfix-announce <email address hidden>

After the initial SMTP smuggling fix that was published four weeks
ago, the plan is to publish an improved version early next week.

- Better compatibility: Postfix can prevent SMTP smuggling without
  rejecting bare newline characters.

  This avoids a mail delivery problem with Microsoft Exchange
  servers. These violate RFC 3030 (BDAT) and RFC 2045 (MIME text)
  when they send BDAT payloads with bare newline characters in MIME text.
  https://datatracker.ietf.org/doc/html/rfc3030#section-3
  https://datatracker.ietf.org/doc/html/rfc2045#section-2.7
  https://datatracker.ietf.org/doc/html/rfc2045#section-2.8

- Better logging: when Postfix is configured to reject bare newline
  characters, log the queue ID, HELO, MAIL, and RCPT if available.

- Avoid false positives: some "smuggling" test tools send fake
  End-of-DATA sequences that real MTAs cannot send.
  https://www.postfix.org/false-smuggling-claims.html

A preview of the code is in the unstable releases postfix-20240112
and postfix-20240116 (these contain the same code, but differ in
documentation which remains work in progres).
https://www.postfix.org/download.html

    Wietse

Revision history for this message
Allen Huang (allenpthuang) wrote :

Hi both,

Thank both for reporting this and providing further information! The updates are on the way.

Changed in postfix (Ubuntu):
assignee: nobody → Allen Huang (allenpthuang)
Revision history for this message
Simon Déziel (sdeziel) wrote :

Thank you Allen!

Revision history for this message
Allen Huang (allenpthuang) wrote :

The updates have been published[1]. Thanks again!

[1] https://ubuntu.com/security/notices/USN-6591-2

Changed in postfix (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.