Attack against postfix allows sending of spoofed mail
Attack against postfix allows sending of spoofed mail
FYI: Postfix has currently an unpatched vulnerability which allows sending of spoofed mail: https://www.postfix.org/smtp-smuggling.html
A fix is currently not available but to have peaceful holidays one should have these lines in the configuration as a workaround:
main.cf:
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking
The "smuggled" SMTP MAIL/RCPT/DATA commands and header plus body text can be used to spoof an email message from any MAIL FROM address whose domain is hosted at email service A, to any RCPT TO address whose domain is hosted at email service B.
If I understand this correctly someone can use Microsoft/other commercial services to email a domain running postfix and make it comes from anyone on the initial service to anyone on the postfix domain. Nice. Good for targeted attacks and probably not bad to get some spam out.
Merry Christmas postfix.
Mailcow tracking bug, they claim the fix in the parent may cause the blocking of legimate traffic from incorrectly implemented smtp servers.