Security: SMTP Smuggling

Hi,
I am not 100% sure if univention is affected by SMTP Smuggeling, but as debian is affected, I see no reason why ucs is not. A test tool is not released until now. But you an do:

echo smtpd_data_restrictions = reject_unauth_pipelining >> /etc/postfix/main.cf.local 
echo smtpd_discard_ehlo_keywords = chunking, silent-discard >> /etc/postfix/main.cf.local 
ucr commit /etc/postfix/main.cf 
systemctl restart postfix

This should make your server safe again.

Best Regards
Sven

Read more:

• SMTP Smuggling - Spoofing E-Mails Worldwide - SEC Consult
• SMTP Smuggling – Spoofing E-Mails Worldwide - media.ccc.de
• SMTP Smuggling
• CVE-2023-51764

A fix is prepared by Univention developers, in a first step we will set these postfix config options in our ucr template.
https://forge.univention.org/bugzilla/show_bug.cgi?id=56957