---
- branch: MAIN
  date: Wed Feb 28 15:16:19 UTC 2024
  files:
  - new: '1.47'
    old: '1.46'
    path: pkgsrc/mail/postfix/Makefile.common
    pathrev: pkgsrc/mail/postfix/Makefile.common@1.47
    type: modified
  - new: '1.208'
    old: '1.207'
    path: pkgsrc/mail/postfix/distinfo
    pathrev: pkgsrc/mail/postfix/distinfo@1.208
    type: modified
  id: 20240228T151619Z.1d0cbabe3e51822f96db29a30e14487cff7575b3
  log: |
    mail/postfix: upadte to 3.8.5

    3.8.5 (2024-01-22)

    Security: this release improves support to defend against an email
    spoofing attack (SMTP smuggling) on recipients at a Postfix server. For
    background, see https://www.postfix.org/smtp-smuggling.html.

    The improvements provide better logging, and better compatibility with
    existing SMTP clients (less need to allowlist clients).

    Sites concerned about SMTP smuggling attacks should enable this feature
    on Internet-facing Postfix servers. For compatibility with non-standard
    clients, Postfix by default excludes clients in mynetworks from this
    countermeasure.

    The recommended settings are:

        # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
        # Otherwise, allow bare <LF> and process it as if the client sent
        # <CR><LF>.
        #
        # This maintains compatibility with many legitimate SMTP client
        # applications that send a mix of standard and non-standard line
        # endings, but will fail to receive email from client implementations
        # that do not terminate DATA content with the standard End-of-DATA
        # sequence <CR><LF>.<CR><LF>.
        #
        # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
        # The example below allowlists SMTP clients in trusted networks.
        #
        smtpd_forbid_bare_newline = normalize
        smtpd_forbid_bare_newline_exclusions = $mynetworks

    Notes:

      * The default setting is "smtpd_forbid_bare_newline = no" in Postfix
        releases < 3.9, for compatibility reasons. This means that Postfix
        is by default vulnerable to SMTP smuggling.

      * The new setting "smtpd_forbid_bare_newline = normalize" is the
        default for Postfix releases 3.9 and later.

      * The old setting "smtpd_forbid_bare_newline = yes" is now an alias for
        "smtpd_forbid_bare_newline = normalize".

      * The new setting "smtpd_forbid_bare_newline = reject" will refuse
        commands or message content with a bare newline. For details see
        the RELEASE_NOTES or the postconf(5) documentation.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/mail/postfix'
  unixtime: '1709133379'
  user: taca