by disabling pipelining on the external port.
The fix in the postfix config for the smtp-smuggling vulnerability [0]
follows the current recommendation of postfix upstream [1].
by using `smtpd_data_restrictions` instead of the newer
`smtpd_forbid_unauth_pipelining` the fix works for both PMG 7 and 8.
Tested with a handcrafted smtp-smuggling-session and verifying that:
* without the fix I get 2 mails
* with the fix I get 1 mail when sending to the external port, but
still 2 mails when sending to the internal port
[0] https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
[1] https://www.postfix.org/smtp-smuggling.html
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
[% END %]
+smtpd_data_restrictions = reject_unauth_pipelining
+
smtpd_client_connection_count_limit = [% pmg.mail.conn_count_limit %]
smtpd_client_connection_rate_limit = [% pmg.mail.conn_rate_limit %]
smtpd_client_message_rate_limit = [% pmg.mail.message_rate_limit %]
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
+ -o smtpd_data_restrictions=
[% pmg.mail.ext_port %] inet n - - - 1 postscreen