Knowledge Base

Vulnerability CVE-2023-51764 in Postfix

 
dmarcemailhostedipmail

Situation

Vulnerability CVE-2023-51764 affecting Postfix has been discovered.

Impact

  • The authenticated attacker can use the "smuggled" SMTP MAIL/RCPT/DATA commands and header plus body text, to spoof an email message from any MAIL FROM address whose domain is also hosted at email service A, to any RCPT TO address whose domain is also hosted at email service B.

  • The spoofed email message will pass SPF-based DMARC checks at email service B, because the spoofed message has a MAIL FROM address whose domain is hosted at email service A, and because the message was received from an IP address for email service A.

Call to action

Update Plesk to the latest version.

If update is not possible at the moment, apply the workaround:

Temporary workaround

The idea is to reject unauthorized SMTP command pipelining (one network packet contains multiple lines with smuggled SMTP commands and message content), and to reject BDAT commands. That will stop many forms of the published attack (BDAT is part of the CHUNKING extension; it allows command pipelining that isn't allowed with the DATA command).

NOTE: this will block misuse of SMTP command pipelining. It will not block message pipelining (multiple MAIL transactions per session), nor will it block a malformed end of line. Malformed line endings are addressed with the long-term solution.

  1. Connect to the server via SSH.

  2. Check Postfix version - first line of the output:

    # postconf -d | grep mail_version

  3. Modify Postfix configuration:

    • for Postfix 3.9.x, 3.8.4, 3.7.9, 3.6.13 and 3.5.23 or later, add following line to /etc/postfix/main.cf:    smtpd_forbid_bare_newline = yes
    • for Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 or later, add following lines to /etc/postfix/main.cf:     smtpd_forbid_unauth_pipelining = yes     smtpd_discard_ehlo_keywords = chunking, silent-discard
    • Otherwise, add:    smtpd_data_restrictions = reject_unauth_pipelining    smtpd_discard_ehlo_keywords = chunking, silent-discard

For example: if you have Postfix version 3.8.5 you need to apply the first option (because 3.8.5 >= 3.8.4). If you have Postfix version 3.6.11, use option 2 (because 3.6.11 is less than 3.6.13, but greater than 3.6.10). Please note, that options two and three can break some legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare.

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

© 2025 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit