Die Version von Leap ist keine offitziell mehr von Postfix unterstützte Version.
Daher:
Fixes for older Postfix versions
First, the " Short-term workaround " will
prevent all realistic smuggling scenarios, even if some audit tool
claims otherwise.That said, patches for no longer supported Postfix releases are
available from the source code mirrors listed at the Postfix download webpage.
See the "Smuggling patches for older releases" link at the top of
a "Postfix Source Code" page.Reach out to Wietse if you need to patch an older version.
und dies sollte reichen:
ZitatAlles anzeigenShort-term workarounds
A short-term workaround can be deployed now, before the upcoming long holiday and associated production change freeze.
The idea is to reject unauthorised SMTP command pipelining (one network packet contains multiple lines with smuggled SMTP commands and message content), and to reject BDAT commands. That will stop many forms of the published attack (BDAT is part of the CHUNKING extension; it allows command pipelining that isn't allowed with the DATA command).
NOTE: this will block misuse of SMTP command pipelining. It will not block message pipelining (multiple MAIL transactions per session), nor will it block a malformed end of line. Malformed line endings are addressed with the long-term solution.
With all Postfix versions:
main.cf:
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking, silent-discard
Postfix 3.9, 3.8.1, 3.7.6, 3.6.10 and 3.5.20 can also block the same forms of the published attack with:
main.cf:
smtpd_forbid_unauth_pipelining = yes
smtpd_discard_ehlo_keywords = chunking, silent-discard
With Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20, smtpd_forbid_unauth_pipelining is disabled by default for backwards compatibility.
With Postfix 3.9 (stable release expected early 2024), smtpd_forbid_unauth_pipelining is enabled by default, but it is still prudent to disable "chunking" as shown above.
Compatibility: the setting "smtpd_forbid_unauth_pipelining = yes" or "smtpd_data_restrictions = reject_unauth_pipelining" may break legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare, especially when email is sent across the Internet.
PS:
Glaubst du wirklich, SUSE würde so eine Lücke nicht schließen?
Denn das gepatchte Paket (Dez 2023) kommt von SUSE nicht openSUSE.........