MSA: Set smtpd_forbid_bare_newline to defeat SMTP smuggling attacks.

author: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 02:21:26 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 02:24:27 +0200
commit: eeef279d8f4d3b7ddff5eae47e609c4e138140ce (patch)
tree: a49458c345f1b28c5058f06b28d1731eb517453e /roles/MSA/templates/etc/postfix/main.cf.j2
parent: 4977d7c1d80ac0caf94914fbf9be8471d056c906 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index bc98d9e..6a544ac 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -104,21 +104,24 @@ smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_login_maps   = socketmap:unix:private/sender-login:sender_login
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
     check_sender_access lmdb:$config_directory/check_sender_access
     check_policy_service unix:private/policyd-spf
     reject_known_sender_login_mismatch
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
     reject_unverified_recipient
     permit_sasl_authenticated
     reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
+smtpd_forbid_bare_newline = normalize
+smtpd_forbid_bare_newline_exclusions = $mynetworks
+
 # vim: set filetype=pfmain :
author	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 02:21:26 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 02:24:27 +0200
commit	eeef279d8f4d3b7ddff5eae47e609c4e138140ce (patch)
tree	a49458c345f1b28c5058f06b28d1731eb517453e /roles/MSA/templates/etc/postfix/main.cf.j2
parent	4977d7c1d80ac0caf94914fbf9be8471d056c906 (diff)