| Package | postfix |
|---|---|
| Version | 2.11.3-1+deb8u3 (jessie), 3.1.15-0+deb9u2 (stretch) |
| Related CVEs | CVE-2023-51764 |
Postfix, a popular mail server, was vulnerable.
Postfix allowed SMTP smuggling unless configured with
smtpd_data_restrictions=reject_unauth_pipelining and
smtpd_discard_ehlo_keywords=chunking.
Remote attackers can use a published exploitation technique
to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass
of an SPF protection mechanism.
This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not.
To prevent attack variants (by always disallowing <LF> without <CR>),
a different solution is required, such as using the backported smtpd_forbid_bare_newline=yes option.
For Debian 8 jessie, these problems have been fixed in version 2.11.3-1+deb8u3.
For Debian 9 stretch, these problems have been fixed in version 3.1.15-0+deb9u2.
We recommend that you upgrade your postfix packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.