Postfix CA-2003-12 Preliminary REJECT pattern ============================================= CERT advisory CA-2003-12 concerns a Sendmail buffer overflow exploit that can happen with message headers containing the 0xff byte value. At this time, 8-bit text in message headers violates Internet email standards. A properly implemented mail client encodes 8-bit message header text as 7-bit text. According to documentation from Sendmail, some exploits can be stopped by configuring a gateway MTA to remove 0xff bytes from message headers. This provides partial protection, because downstream Sendmail systems may still use untrusted information from the DNS while (re)writing message headers. For the same reason, configuring a gateway MTA to limit the length of message headers would be a partial solution for downstream Sendmail systems. Using Postfix to block 0xff in message headers ============================================== One quick way to stop 0xff characters in message headers is to specify a header_checks REGEXP pattern and action. Specifying numerical character codes in REGEXP patterns turns out to be painful. Here is a somewhat clumsy method to specify a 0xff matching REGEXP: perl -e 'print "/\xff/ REJECT Possible CA-2003-12 exploit\n"' > /etc/postfix/block255 /etc/postfix/main.cf: header_checks = regexp:/etc/postfix/block255 ...other_files... The pattern was tested with FreeBSD 4, Redhat 8, Solaris 9, all on Intel. Raw binary data such as 0xff may cause trouble with text editors. This is why the above example uses a separate file for blocking the 0xff character instead of appending the pattern to an existing header_checks file. The equivalent PCRE pattern may be easier to specify, but PCRE support is not universally available with Postfix.