1

Topic: iRedMail-1.6.8 has been released. Mitigate the "SMTP Smuggling" attack

Don't forget to check out our new product "Spider Email Archiver": a lightweight, on-premises email archiving software: https://spiderd.io/
--------

Dear all,

iRedMail-1.6.8 has been released. It applies the "short-term workaround" to fix the "SMTP Smuggling" attack.

Here's major changes since iRedMail-1.6.7:

Fixed issues
  • Mitigate Postfix "SMTP Smuggling" attack. Thanks @EsadCetiner for the contribution: https://github.com/iredmail/iRedMail/pull/248

  • [LDAP Backend] Can not use (mlmmj) mailing list as member of another mailing list.

  • CentOS/Rocky: Not enable daily cron job to update SpamAssassin rules. Thanks to forum user `roccoro` for the report.

Updated packages
  • mlmmjadmin -> 3.1.9

  • netdata -> 1.44.1

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by haveagoodtime 2023-12-31 15:17:39)

Re: iRedMail-1.6.8 has been released. Mitigate the "SMTP Smuggling" attack

Today on debian 11 I was able to upgrade to postfix 3.5.23 but I also had to add

smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks

to my main.cf for the long term fix as described here:
https://www.postfix.org/announcements/p … .5.23.html

By default if you just upgrade to a patched version of postfix, the fix doesn't take effect until you explicitly enable smtpd_forbid_bare_newline

3

Re: iRedMail-1.6.8 has been released. Mitigate the "SMTP Smuggling" attack

For Debian 11 and 12 users, please upgrade Postfix packages to latest version and apply long-term fix:

smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks

4

Re: iRedMail-1.6.8 has been released. Mitigate the "SMTP Smuggling" attack

Hi, I am looking on postfix instructions and get a question.
Have:
centos8, latest base postfix
postfix-pcre-3.5.8-7.el8.x86_64
postfix-perl-scripts-3.5.8-7.el8.x86_64
postfix-3.5.8-7.el8.x86_64
postfix-mysql-3.5.8-7.el8.x86_64

Postfix's documentation point to http://ghettoforge.org/index.php/Postfix. it's look acceptable, but can't find postfix-perl-scripts rpm with ghettoforge repo . is it necessary?

Maybe you some instructions how to update to latest fixed rpm for centos8?

Regards