webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 10:35:53 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
bpfire/lfs/postfix
Adolf Belka cfb6d9c7fd postfix: Update to version 3.8.4 + prevent smtp smuggling 
- Update from version 3.8.3 to 3.8.4
- Update of rootfile not required
- Permanent fix for smtp smuggling will be in version 3.9. However the fix has been
   backported into version 3.8.4 but with the default for the parameter of "no".
- This patch sets the defaults for all the main.cf parameters highlighted by Wietse
   Venema in http://www.postfix.org/smtp-smuggling.html
- Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to
   the install.sh pak for postfix so that it will be included into any main.cf file being
   restored from backup. This parameter is available for the first time in 3.8.4 so will
   not be in any backup prior to this release and can therefore be safely applied to
   restored versions of main.cf.
- This fix in install.sh will be able to be removed when version 3.9 is released early
   in 2024 as the default for that parameter in that version onwards will then be "yes"
- Changelog
    3.8.4
	Security: with "smtpd_forbid_bare_newline = yes" (default
	 "no" for Postfix < 3.9), reply with "Error: bare <LF>
	 received" and disconnect when an SMTP client sends a line
	 ending in <LF>, violating the RFC 5321 requirement that
	 lines must end in <CR><LF>. This prevents SMTP smuggling
	 attacks that target a recipient at a Postfix server. For
	 backwards compatibility, local clients are excluded by
	 default with "smtpd_forbid_bare_newline_exclusions =
	 $mynetworks". Files: mantools/postlink, proto/postconf.proto,
	 global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
	 smtpd/smtpd.c.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2024-01-08 10:00:02 +00:00

132 lines
4.5 KiB
Plaintext
Raw Permalink Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
SUMMARY = A fast, secure, and flexible mailer
VER = 3.8.4
THISAPP = postfix-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = postfix
PAK_VER = 44
DEPS =
SERVICES = postfix
CCARGS = `getconf LFS_CFLAGS` \
-DDEF_DAEMON_DIR="'\"/usr/lib/postfix\"'" \
-DDEF_MANPAGE_DIR="'\"/usr/share/man\"'" \
-DNO_NIS
AUXLIBS =
# LDAP
CCARGS += -DHAS_LDAP -DLDAP_DEPRECATED=1
AUXLIBS += -lldap -llber
# PCRE
CCARGS += -DHAS_PCRE -I/usr/include/pcre
AUXLIBS += -lpcre
# SASL
CCARGS += -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl
AUXLIBS += -L/usr/lib/sasl2 -lsasl2
# TLS
CCARGS += -DUSE_TLS `pkg-config --cflags openssl`
AUXLIBS += `pkg-config --libs openssl`
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_BLAKE2 = 200ce3d72444da05e42fc8627002d53d68c1b3d78b7f74b0130ac958c23d16454783ef4849a8c9a4e3cba8ae36646e921f7e94ac4fb819b597e1a5ab1a875272
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
b2 : $(subst %,%_BLAKE2,$(objects))
dist:
@$(PAK)
###############################################################################
# Downloading, checking, b2sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_BLAKE2,$(objects)) :
@$(B2SUM)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && make -f Makefile.init makefiles \
DEBUG="" OPT="$(CFLAGS) -fno-strict-aliasing" CCARGS="$(CCARGS)" AUXLIBS="$(AUXLIBS)"
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && sh postfix-install -non-interactive
## Install configuration
rm -vf /etc/postfix/main.cf.default
# update main.cf parameters to prevent smtp smuggling attack
postconf -e 'smtpd_forbid_bare_newline = yes'
postconf -e 'smtpd_forbid_unauth_pipelining = yes'
postconf -e 'smtpd_data_restrictions = reject_unauth_pipelining'
postconf -e 'smtpd_discard_ehlo_keywords = chunking'
mkdir -p /var/lib/postfix
chown postfix.root /var/lib/postfix
install -v -m 644 $(DIR_SRC)/config/backup/includes/postfix \
/var/ipfire/backup/addons/includes/postfix
mv /usr/sbin/sendmail /usr/sbin/sendmail.postfix
#install initscripts
$(call INSTALL_INITSCRIPTS,$(SERVICES))
@rm -rf $(DIR_APP)
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink