Recently an SMTP Smuggling attack on Postfix was published, as mentioned by the Postfix project:
Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.
Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix or other affected systems.
The net result: a presumably unintended zero-day attack was published because some people weren’t aware of the scope of the attack.
At this time it means an upstream fix by Postfix is needed to fully fix the security issue.
Zimbra will create a patch with updated configuration files and an updated version of Postfix as soon as possible, meanwhile we recommend to add:
smtpd_discard_ehlo_keywords=chunking
To the bottom of all the following files:
/opt/zimbra/common/conf/main.cf /opt/zimbra/common/conf/main.cf.default /opt/zimbra/common/conf/main.cf.proto
Remove the already existing line that reads: smtpd_discard_ehlo_keywords = from /opt/zimbra/common/conf/main.cf.default
And then as the OS user zimbra restart the MTA:
zmmtactl restart
The following line should already be set in the configuration files, but be sure to check if it is indeed present on your installation:
smtpd_data_restrictions = reject_unauth_pipelining
The file /opt/zimbra/common/conf/main.cf.default already has the line ‘smtpd_discard_ehlo_keywords =’
But the workaround is to add the line to the bottom of the main.cf.default?
Thanks for your comment, will update the blog post.
You may either replace that line with smtpd_discard_ehlo_keywords=chunking or remove the already existing line and add it to the bottom.
It’s cleaner to use `postconf -e` to edit Postfix configuration, it will add new or update existing lines as needed.
I am not sure if using postconf on template files will always have the desired effect, but again this issue will be addressed by a Zimbra patch postconf should not be needed.
For us it seems like the SMTP Server is still vulnerable, even after these setting are set and the MTA is restarted.
It’s not possible with BDAT anymore, but with LF-DOT-CRLF it’s still possible to smuggle. Tested with the Tool from Xeam. Is anybody else experiencing this?
It appears that the tool from Xeam is not providing reliable results.
Big e-mail providers like Microsoft and GMX who allowed sending an . sequence from their outbound SMTP server’s to the inbound SMTP server (postfix in our case) as unfiltered, have already patched this issue.
If you’re planning to test this further, I would recommend trying out
https://github.com/The-Login/SMTP-Smuggling-Tools
Postfix as an outbound server interprets . as an end-of-data sequence.
In that case, go ahead to “Scanning postfix as an inbound SMTP servers”.
Will you consider upgrading Postfix to 3.6.14 or newer? This new release improves the initial fixes released in December, with less impact on broken clients and better logging. See https://www.postfix.org/announcements/postfix-3.8.5.html
Or wait a bit until Postfix 3.9 comes out. Unlike older releases, 3.9 will enable all recommended mitigations by default.
We are planning to upgrade Postfix soon.