Menü Schließen

Postfix Security Release 3.8.5 – 3.7.10 – 3.6.14 – 3.5.24

Postfix - Logo

Der Mail Transfer Agent (MTA) für Linux und Unix Postfix erhielt ein Security und Bugfix Release in den Versionen 3.8.5, 3.7.10, 3.6.14 und 3.5.24.

Postfix 3.8.5 – 3.7.10 – 3.6.14 – 3.5.24 Release Notes

Security: this release improves support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see

The improvements provide better logging, and better compatibility with existing SMTP clients (less need to allowlist clients).

Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure.

The recommended settings are:

# Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
# This maintains compatibility with many legitimate SMTP client
# applications that send a mix of standard and non-standard line
# endings, but will fail to receive email from client implementations
# that do not terminate DATA content with the standard End-of-DATA
# sequence <CR><LF>.<CR><LF>.
# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
# The example below allowlists SMTP clients in trusted networks.
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks


  • The default setting is “smtpd_forbid_bare_newline = no” in Postfix releases < 3.9, for compatibility reasons. This means that Postfix is by default vulnerable to SMTP smuggling.
  • The new setting “smtpd_forbid_bare_newline = normalize” is the default for Postfix releases 3.9 and later.
  • The old setting “smtpd_forbid_bare_newline = yes” is now an alias for “smtpd_forbid_bare_newline = normalize”.
  • The new setting “smtpd_forbid_bare_newline = reject” will refuse commands or message content with a bare newline. For details see the RELEASE_NOTES or the postconf(5) documentation.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert