Mitigate smuggling setting smtpd_discard_ehlo_keywords.

2023-12-26 19:04:41 +01:00 · 2023-12-26 19:04:41 +01:00 · cfc40d98ca
parent 5fc53ea968
commit cfc40d98ca
1 changed files with 4 additions and 0 deletions
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@ -621,6 +621,9 @@ smtpd_recipient_restrictions =
        reject_rbl_client {{ postfix_rbl_list }}
 {% endif %}

+{% if postfix_mx_server %}
+smtpd_discard_ehlo_keywords = chunking
+{% endif %}
 smtpd_client_restrictions =
        permit_mynetworks
        permit_inet_interfaces
@ -654,6 +657,7 @@ smtpd_sasl_authenticated_header = yes
 broken_sasl_auth_clients = yes
 # Block clients that speak too early.
 smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_discard_ehlo_keywords = chunking
 {% endif %}
 {% if postfix_reject_sender_login_mismatch %}
 smtpd_sender_login_maps =