Log Message:
mail/postfix: upadte to 3.8.5

3.8.5 (2024-01-22)

Security: this release improves support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server. For
background, see https://www.postfix.org/smtp-smuggling.html.

The improvements provide better logging, and better compatibility with
existing SMTP clients (less need to allowlist clients).

Sites concerned about SMTP smuggling attacks should enable this feature
on Internet-facing Postfix servers. For compatibility with non-standard
clients, Postfix by default excludes clients in mynetworks from this
countermeasure.

The recommended settings are:

    # Require the standard End-of-DATA sequence \ 
<CR><LF>.<CR><LF>.
    # Otherwise, allow bare <LF> and process it as if the client sent
    # <CR><LF>.
    #
    # This maintains compatibility with many legitimate SMTP client
    # applications that send a mix of standard and non-standard line
    # endings, but will fail to receive email from client implementations
    # that do not terminate DATA content with the standard End-of-DATA
    # sequence <CR><LF>.<CR><LF>.
    #
    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    # The example below allowlists SMTP clients in trusted networks.
    #
    smtpd_forbid_bare_newline = normalize
    smtpd_forbid_bare_newline_exclusions = $mynetworks

Notes:

  * The default setting is "smtpd_forbid_bare_newline = no" in Postfix
    releases < 3.9, for compatibility reasons. This means that Postfix
    is by default vulnerable to SMTP smuggling.

  * The new setting "smtpd_forbid_bare_newline = normalize" is the
    default for Postfix releases 3.9 and later.

  * The old setting "smtpd_forbid_bare_newline = yes" is now an alias for
    "smtpd_forbid_bare_newline = normalize".

  * The new setting "smtpd_forbid_bare_newline = reject" will refuse
    commands or message content with a bare newline. For details see
    the RELEASE_NOTES or the postconf(5) documentation.