Merge branch 'release/v3.8.4-1'

Author: sklein94

CHANGELOG.md

@@ -6,6 +6,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v3.8.4-1] - 2023-12-27
+### Security
+- [#24] Prevent [SMTP smuggling](https://www.postfix.org/smtp-smuggling.html) due to [CVE-2023-51764](https://nvd.nist.gov/vuln/detail/CVE-2023-51764)
+### Added
+- [#24] Configuration to prevent the aforementioned SMTP smuggling.  
+  **BREAKING CHANGE:** This might break exceedingly rare clients that mis-implement SMTP.
+  Configuration options to allow those clients specifically
+  [can be found here](docs/operations/Configure_Dogu_en.md#client-exclusions-for-bare-newlines).
+### Changed
+- Upgraded postfix from `3.6.4` to `3.8.4`
+- Upgraded alpine base image from `3.17.3-2` to `3.18.3-1`
+
 ## [v3.6.4-6] - 2023-12-04
 ### Fixed
 - [#22] Fixed a bug where multiple masks for a destination ip would result in multi line input for cidr generation.

Dockerfile

@@ -1,6 +1,6 @@
-FROM registry.cloudogu.com/official/base:3.17.3-2
+FROM registry.cloudogu.com/official/base:3.18.3-1
 LABEL NAME="official/postfix" \
-      VERSION="3.6.4-6" \
+      VERSION="3.8.4-1" \
       [email protected]
 
 # INSTALL POSTFIX

docs/operations/Configure_Dogu_de.md

@@ -91,6 +91,23 @@ Postfix-Dogu bietet die folgenden Einstellungen:
 * Liste der SSL/TLS-Protokolle, die der Postfix-SMTP-Client mit zwingender TLS-Verschlüsselung verwenden wird
 * Optional
 
+### Missgebildete Zeilenenden
+
+* Pfad des Konfigurationsschlüssels: `smtpd_forbid_bare_newline`
+* Deaktiviert die Unterstützung für missgebildete Zeilenenden in SMTP.
+  Dies behebt [CVE-2023-51764](https://nvd.nist.gov/vuln/detail/CVE-2023-51764), könnte aber (seltene) Clients stören, die SMTP falsch implementieren.
+* Optional
+* Valide Werte: `yes, no`
+* Default-Wert: `yes`
+
+### Client-Ausnahmen für missgebildete Zeilenenden
+
+* Pfad des Konfigurationsschlüssels: `smtpd_forbid_bare_newline_exclusions`
+* Liste der Clients, für die bloße Zeilenumbrüche weiterhin zulässig sein sollen.
+  Siehe https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline_exclusions
+* Optional
+* Default-Wert: `$mynetworks`
+
 ### Log Level
 
 * Pfad des Konfigurationsschlüssels: `logging/root`

docs/operations/Configure_Dogu_en.md

@@ -88,6 +88,23 @@ the following settings:
 * List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption
 * Optional
 
+### Bare newlines
+
+* Configuration key path: `smtpd_forbid_bare_newline`
+* Disables support for malformed line endings in SMTP.
+  This fixes CVE-2023-51764 but could break (rare) clients that mis-implement SMTP.
+* Optional
+* Valid values: `yes, no`
+* Default value: `yes`
+
+### Client exclusions for bare newlines
+
+* Configuration key path: `smtpd_forbid_bare_newline_exclusions`
+* List of clients for which bare newlines should still be allowed.
+  See https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline_exclusions
+* Optional
+* Default value: `$mynetworks`
+
 ### Log Level
 
 * Configuration key path: `logging/root`

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/postfix",
-  "Version": "3.6.4-6",
+  "Version": "3.8.4-1",
   "DisplayName": "Postfix",
   "Description": "Postfix - Mail Transfer Agent",
   "Logo": "https://cloudogu.com/images/dogus/postfix.png",
@@ -69,6 +69,25 @@
       "Description": "List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption",
       "Optional": true
     },
+    {
+      "Name": "smtpd_forbid_bare_newline",
+      "Description": "Disables support for malformed line endings in SMTP. This fixes CVE-2023-51764 but could break (rare) clients that mis-implement SMTP.",
+      "Optional": true,
+      "Default": "yes",
+      "Validation": {
+        "Type": "ONE_OF",
+        "Values": [
+          "yes",
+          "no"
+        ]
+      }
+    },
+    {
+      "Name": "smtpd_forbid_bare_newline_exclusions",
+      "Description": "List of clients for which bare newlines should still be allowed. See https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline_exclusions",
+      "Optional": true,
+      "Default": "$mynetworks"
+    },
     {
       "Name": "logging/root",
       "Description": "Set the root log level to one of ERROR, WARN, INFO, DEBUG.",

resources/startup.sh

@@ -38,7 +38,8 @@ POSTFIX_SASL_PASSWORD=$(doguctl config --default "NOT_SET" sasl_password)
 NET=""
 OPTIONS=('smtp_tls_security_level' 'smtp_tls_loglevel'
   'smtp_tls_exclude_ciphers' 'smtp_tls_mandatory_ciphers'
-  'smtp_tls_mandatory_protocols')
+  'smtp_tls_mandatory_protocols'
+  'smtpd_forbid_bare_newline' 'smtpd_forbid_bare_newline_exclusions')
 
 # GATHERING NETWORKS FROM INTERFACES FOR MYNETWORKS