From 6c8f35a858c4d1d43c87dcbe5e176710f005f7b1 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Wed, 27 Dec 2023 16:32:56 +0100
Subject: [PATCH] fix(mok): Fix SMTP smuggling
---
charts/mok/Chart.yaml | 2 +-
charts/mok/README.md | 4 ++--
charts/mok/templates/postfix-config.yaml | 4 ++++
charts/mok/tests/__snapshot__/postfix_test.yaml.snap | 6 +++++-
charts/mok/values.yaml | 2 +-
images/postfix/.release | 2 +-
6 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/charts/mok/Chart.yaml b/charts/mok/Chart.yaml
index 2db9d72ff..3a1066f8d 100644
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
description: |
Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
type: application
-version: 0.11.0
+version: 0.11.1
sources:
- https://de.postfix.org/ftpmirror/index.html
- https://github.com/dovecot/core
diff --git a/charts/mok/README.md b/charts/mok/README.md
index 9dab7bc73..f41007ea3 100644
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -1,6 +1,6 @@
# mok
- 
+ 
Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
@@ -56,7 +56,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
| postfix.hostname | string | `nil` | explicitly set postfix hostname |
| postfix.image.pullPolicy | string | `"IfNotPresent"` | |
| postfix.image.repository | string | `"quay.io/shivering-isles/postfix"` | postfix container image |
-| postfix.image.tag | string | `"0.6.0"` | Overrides the image tag whose default is "latest" |
+| postfix.image.tag | string | `"3.8.4"` | Overrides the image tag whose default is "latest" |
| postfix.imagePullSecrets | list | `[]` | |
| postfix.nodeSelector | object | `{}` | |
| postfix.podAnnotations | object | `{}` | |
diff --git a/charts/mok/templates/postfix-config.yaml b/charts/mok/templates/postfix-config.yaml
index fabf83b41..0da855257 100644
--- a/charts/mok/templates/postfix-config.yaml
+++ b/charts/mok/templates/postfix-config.yaml
@@ -299,6 +299,10 @@ data:
## SMTPD Restrictions Configuration
##
+ # Fixes for smtp-smuggling
+ smtpd_forbid_bare_newline = yes
+ smtpd_forbid_bare_newline_exclusions = $mynetworks
+
smtpd_recipient_restrictions =
# check_recipient_access btree:/srv/config/access_recipient,
# check_recipient_access pgsql:/srv/tmp/recipient-access.cf
diff --git a/charts/mok/tests/__snapshot__/postfix_test.yaml.snap b/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
index 11c748d04..3d2d1a482 100644
--- a/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
@@ -108,6 +108,10 @@ should match snapshot:
## SMTPD Restrictions Configuration
##
+ # Fixes for smtp-smuggling
+ smtpd_forbid_bare_newline = yes
+ smtpd_forbid_bare_newline_exclusions = $mynetworks
+
smtpd_recipient_restrictions =
# check_recipient_access btree:/srv/config/access_recipient,
# check_recipient_access pgsql:/srv/tmp/recipient-access.cf
@@ -418,7 +422,7 @@ should match snapshot:
template:
metadata:
annotations:
- checksum/config: ae779e82df8eab92d5ed337c3cae34b82ea65cc7e11637e47b3f91cf130e8de9
+ checksum/config: 0838cf3dfba1f00a38c0cd27491c5efaf355d048286ec4638dd0607cb3f8e22d
checksum/secret: 4a9a25e04ee01efbca95ac61fbbeb7adc3623a3494e86cd91f2b0cabc281f936
labels:
app.kubernetes.io/component: postfix
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index 0f9b1b241..dac8e6b27 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -46,7 +46,7 @@ postfix:
repository: quay.io/shivering-isles/postfix
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is "latest"
- tag: "0.6.0"
+ tag: "3.8.4"
imagePullSecrets: []
diff --git a/images/postfix/.release b/images/postfix/.release
index 5307758bc..f3bb17dc5 100644
--- a/images/postfix/.release
+++ b/images/postfix/.release
@@ -1 +1 @@
-release=0.6.0
+release=3.8.4
--
GitLab