From 25c7024cc4c7a6ee81be70144f6ecaf4fddf44ca Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Wed, 3 Jan 2024 02:02:59 +0100
Subject: [PATCH] security(Postfix): Protect against "SMTP Smuggling" attack
 (#3727)

View `CHANGELOG.md` entry and PR for details.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 CHANGELOG.md           | 15 ++++++++++++++-
 target/postfix/main.cf |  6 ++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eeeb843d..b6e6d906 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,10 +2,23 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v13.0.0...HEAD)
+## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v13.1.0...HEAD)
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+### Security
+
+DMS is now secured against the [recently published spoofing attack "SMTP Smuggling"](https://www.postfix.org/smtp-smuggling.html) that affected Postfix ([#3727](https://github.com/docker-mailserver/docker-mailserver/pull/3727)):
+- Postfix upgraded from `3.5.18` to `3.5.23` which provides the [long-term fix with `smtpd_forbid_bare_newline = yes`](https://www.postfix.org/smtp-smuggling.html#long)
+- If you are unable to upgrade to this release of DMS, you may follow [these instructions](https://github.com/docker-mailserver/docker-mailserver/issues/3719#issuecomment-1870865118) for applying the [short-term workaround](https://www.postfix.org/smtp-smuggling.html#short).
+- This change should not cause compatibility concerns for legitimate mail clients, however if you use software like `netcat` to send mail to DMS (_like our test-suite previously did_) it may now be rejected (_especially with the the short-term workaround `smtpd_data_restrictions = reject_unauth_pipelining`_).
+- **NOTE:** This Postfix update also includes the new parameter [`smtpd_forbid_bare_newline_exclusions`](https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline_exclusions) which defaults to `$mynetworks` for excluding trusted mail clients excluded from the restriction.
+  - With our default `PERMIT_DOCKER=none` this is not a concern.
+  - Presently the Docker daemon config has `user-proxy: true` enabled by default.
+    - On a host that can be reached by IPv6, this will route to a DMS IPv4 only container implicitly through the Docker network bridge gateway which rewrites the source address.
+    - If your `PERMIT_DOCKER` setting allows that gateway IP, then it is part of `$mynetworks` and this attack would not be prevented from such connections.
+    - If this affects your deployment, refer to [our IPv6 docs](https://docker-mailserver.github.io/docker-mailserver/v13.2/config/advanced/ipv6/) for advice on handling IPv6 correctly in Docker. Alternatively [use our `postfix-main.cf`](https://docker-mailserver.github.io/docker-mailserver/v13.2/config/advanced/override-defaults/postfix/) to set `smtpd_forbid_bare_newline_exclusions=` as empty.
+
 ### Updates
 
 - The test suite now uses `swaks` instead of `nc`, which has multiple benefits ([#3732](https://github.com/docker-mailserver/docker-mailserver/pull/3732)):
diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index 8c329c94..a9230347 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -57,6 +57,12 @@ smtpd_sender_restrictions = $dms_smtpd_sender_restrictions
 smtpd_discard_ehlo_keywords = silent-discard, dsn
 disable_vrfy_command = yes
 
+# Security - Prevent SMTP Smuggling attack
+# https://www.postfix.org/smtp-smuggling.html#long
+smtpd_forbid_bare_newline = yes
+# It is possible to exclude clients on trusted networks from this restriction (the upstream default is `$mynetwork`):
+# smtpd_forbid_bare_newline_exclusions = $mynetworks
+
 # Custom defined parameters for DMS:
 dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
 # Submission ports 587 and 465 support for SPOOF_PROTECTION=1