From cfc40d98cae3eae311bd203b174b298959fe13a6 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Tue, 26 Dec 2023 19:04:41 +0100
Subject: [PATCH] Mitigate smuggling setting smtpd_discard_ehlo_keywords.

---
 templates/main.cf.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index bc98b66..121ecf2 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -621,6 +621,9 @@ smtpd_recipient_restrictions =
         reject_rbl_client {{ postfix_rbl_list }}
 {% endif %}
 
+{% if postfix_mx_server %}
+smtpd_discard_ehlo_keywords = chunking
+{% endif %}
 smtpd_client_restrictions =
         permit_mynetworks
         permit_inet_interfaces
@@ -654,6 +657,7 @@ smtpd_sasl_authenticated_header = yes
 broken_sasl_auth_clients = yes
 # Block clients that speak too early.
 smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_discard_ehlo_keywords = chunking
 {% endif %}
 {% if postfix_reject_sender_login_mismatch %}
 smtpd_sender_login_maps =