Tuesday, December 19, 2023

latest postfix version - security vulnerability and upgrade

Hi everyone.

I've been reading about this:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide

And it seems, for workaround and patching, postfix needs to have the
following parameter enabled:

smtpd_forbid_unauth_pipelining=yes

however, the latest postfix package under OpenBSD 7.4
is; postfix-3.8.20221007p11 which does not support that parameter.

"That feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and
3.5.20" as it's been said here:

http://www.postfix.org/postconf.5.html#smtpd_forbid_unauth_pipelining

Is there any plan for OpenBSD 7.4 stable packages, to upgrade postfix to
latest stable revision, for security purposes in that case?

Best wishes, regards.

Mark.

No comments:

Post a Comment