• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Smtp Smuggling advisory

I asked Plesk support this same question about our servers, here is their answer received today:

Thank you for waiting, we've got an update from Security Team.
Indeed, Plesk servers are affected by this vulnerability.
Plesk ships own Postfix 3.5.x packages for RHEL<=8 (and its forks) and Ubuntu 18. For other OSes Postfix is installed from OS vendor repositories.
The vulnerability fix for packages shipped by us is expected next week. Release for other operating systems depend on OS vendors. We are also considering to include necessary configuration changes for fixed versions.

Until security fix is released please consider applying short-term workaround suggested by Postfix SMTP Smuggling
  1. Connect to the server via SSH.
  2. Check Postfix version - first line of the output:
    # postconf -d | grep mail_version
  3. Change the following directives by editing /etc/postfix/main.cf configuration file:
    • With all Postfix versions:
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_discard_ehlo_keywords = chunking, silent-discard
    • Postfix 3.9, 3.8.1, 3.7.6, 3.6.10 and 3.5.20:
      smtpd_forbid_unauth_pipelining = yes
      smtpd_discard_ehlo_keywords = chunking, silent-discard
 
FrancoiseL said:
I asked Plesk support this same question about our servers, here is their answer received today:

Thank you for waiting, we've got an update from Security Team.
Indeed, Plesk servers are affected by this vulnerability.
Plesk ships own Postfix 3.5.x packages for RHEL<=8 (and its forks) and Ubuntu 18. For other OSes Postfix is installed from OS vendor repositories.
The vulnerability fix for packages shipped by us is expected next week. Release for other operating systems depend on OS vendors. We are also considering to include necessary configuration changes for fixed versions.

Until security fix is released please consider applying short-term workaround suggested by Postfix SMTP Smuggling
  1. Connect to the server via SSH.
  2. Check Postfix version - first line of the output:
    # postconf -d | grep mail_version
  3. Change the following directives by editing /etc/postfix/main.cf configuration file:
    • With all Postfix versions:
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_discard_ehlo_keywords = chunking, silent-discard
    • Postfix 3.9, 3.8.1, 3.7.6, 3.6.10 and 3.5.20:
      smtpd_forbid_unauth_pipelining = yes
      smtpd_discard_ehlo_keywords = chunking, silent-discard
Click to expand...
Thank you very much for answer.

Meanwhile I have applied the fix which is applicable for all Postfix versions. I am curious, when the postfix 3.5.x package is available. In Ubuntu 20.04.6 LTS only postfix 3.4.13 is included. The above mentioned fix is not fully adressing the vulnerability.

Workarounds:

"NOTE: this will block misuse of SMTP command pipelining.It will not block message pipelining (multiple MAIL transactionsper session), nor will it block a malformed end of line. Malformedline endings are addressed with the long-term solution."
 
You must log in or register to reply here.

Similar threads

Jan Bludau
Resolved Patch: Postfix - 37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
Replies
5
Views
2K
Peter Debik
P
Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
B
Question Plesk email relay incoming emails to another server
Replies
1
Views
194
bit
B
S
Issue Watchdog wdcollect SMTP error
Replies
6
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
B
Question Can I make Mailcow Dockerized the main Mailserver on Plesk Obsidian + Debian 12 platform
Replies
1
Views
597
bosse1
B
Back
Top