SMTP smuggling attack
not sure if we're affected by this or how much.
https://www.postfix.org/smtp-smuggling.html https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ https://security-tracker.debian.org/tracker/1059230
here's a patch to tor-puppet.git that might mitigate part of the problem:
modified modules/postfix/templates/main.cf.erb
@@ -140,6 +140,12 @@ smtpd_recipient_restrictions =
reject
<% end -%>
+# workaround for SMTP smuggling, see:
+# https://security-tracker.debian.org/tracker/1059230
+# https://www.postfix.org/smtp-smuggling.html
+# https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+smtpd_data_restrictions = reject_unauth_pipelining
+
# cf. https://isc.sans.edu/diary/Hardening+Postfix+Against+FTP+Relay+Attacks/22086
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
this might be mitigated by the fact that we don't have hard DMARC/DKIM policies anyways, so we're already vulnerable to quite a bit of masquerading attacks.
Edited by anarcat