ALAS2-2024-2420 --- postfixID: oval:org.secpod.oval:def:1702055 | Date: (C)2024-02-07 (M)2024-02-26 |
Class: PATCH | Family: unix |
Postfix through 3.8.4 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking . Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports less thanLF greater than .less thanCR greater than less thanLF greater than but some other popular e-mail servers do not. To prevent attack variants , a different solution is required: the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9