fix(mok): Fix SMTP smuggling

6c8f35a8 · Sheogorath · d0ab40c6 · 6c8f35a8 · 6c8f35a8 · 6c8f35a8
Verified Commit 6c8f35a8 authored 1 year ago by Sheogorath
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
 description: |
  Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 type: application
-version: 0.11.0
+version: 0.11.1
 sources:
  - https://de.postfix.org/ftpmirror/index.html
  - https://github.com/dovecot/core

--- a/charts/mok/README.md
+++ b/charts/mok/README.md
 # mok
-![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.11.1](https://img.shields.io/badge/Version-0.11.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
@@ -56,7 +56,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
 | postfix.hostname | string | `nil` | explicitly set postfix hostname |
 | postfix.image.pullPolicy | string | `"IfNotPresent"` |  |
 | postfix.image.repository | string | `"quay.io/shivering-isles/postfix"` | postfix container image |
-| postfix.image.tag | string | `"0.6.0"` | Overrides the image tag whose default is "latest" |
+| postfix.image.tag | string | `"3.8.4"` | Overrides the image tag whose default is "latest" |
 | postfix.imagePullSecrets | list | `[]` |  |
 | postfix.nodeSelector | object | `{}` |  |
 | postfix.podAnnotations | object | `{}` |  |

--- a/charts/mok/templates/postfix-config.yaml
+++ b/charts/mok/templates/postfix-config.yaml
@@ -299,6 +299,10 @@ data:
    ## SMTPD Restrictions Configuration
    ##
+    # Fixes for smtp-smuggling
+    smtpd_forbid_bare_newline = yes
+    smtpd_forbid_bare_newline_exclusions = $mynetworks
    smtpd_recipient_restrictions =
    #        check_recipient_access btree:/srv/config/access_recipient,
    #        check_recipient_access pgsql:/srv/tmp/recipient-access.cf

--- a/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
@@ -108,6 +108,10 @@ should match snapshot:
        ## SMTPD Restrictions Configuration
        ##
+        # Fixes for smtp-smuggling
+        smtpd_forbid_bare_newline = yes
+        smtpd_forbid_bare_newline_exclusions = $mynetworks
        smtpd_recipient_restrictions =
        #        check_recipient_access btree:/srv/config/access_recipient,
        #        check_recipient_access pgsql:/srv/tmp/recipient-access.cf
@@ -418,7 +422,7 @@ should match snapshot:
      template:
        metadata:
          annotations:
-            checksum/config: ae779e82df8eab92d5ed337c3cae34b82ea65cc7e11637e47b3f91cf130e8de9
+            checksum/config: 0838cf3dfba1f00a38c0cd27491c5efaf355d048286ec4638dd0607cb3f8e22d
            checksum/secret: 4a9a25e04ee01efbca95ac61fbbeb7adc3623a3494e86cd91f2b0cabc281f936
          labels:
            app.kubernetes.io/component: postfix

--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -46,7 +46,7 @@ postfix:
    repository: quay.io/shivering-isles/postfix
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is "latest"
-    tag: "0.6.0"
+    tag: "3.8.4"
  imagePullSecrets: []

--- a/images/postfix/.release
+++ b/images/postfix/.release
-release=0.6.0
+release=3.8.4