Vulnerability CVE-2023-51764 in Postfix

The idea is to reject unauthorized SMTP command pipelining (one network packet contains multiple lines with smuggled SMTP commands and message content), and to reject BDAT commands. That will stop many forms of the published attack (BDAT is part of the CHUNKING extension; it allows command pipelining that isn't allowed with the DATA command).

NOTE: this will block misuse of SMTP command pipelining. It will not block message pipelining (multiple MAIL transactions per session), nor will it block a malformed end of line. Malformed line endings are addressed with the long-term solution.

1. Connect to the server via SSH.

2. Check Postfix version - first line of the output:

   # postconf -d | grep mail_version

3. Modify Postfix configuration:

   • for Postfix 3.9.x, 3.8.4, 3.7.9, 3.6.13 and 3.5.23 or later, add following line to /etc/postfix/main.cf:
         smtpd_forbid_bare_newline = yes
   • for Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 or later, add following lines to /etc/postfix/main.cf:
          smtpd_forbid_unauth_pipelining = yes
     smtpd_discard_ehlo_keywords = chunking, silent-discard
   • Otherwise, add:
         smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_discard_ehlo_keywords = chunking, silent-discard

For example: if you have Postfix version 3.8.5 you need to apply the first option (because 3.8.5 >= 3.8.4). If you have Postfix version 3.6.11, use option 2 (because 3.6.11 is less than 3.6.13, but greater than 3.6.10). Please note, that options two and three can break some legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare.