update smtp server security conf

3 files changed, 9 insertions, 5 deletions

diff --git a/cluster/prod/app/email/build/docker-compose.yml b/cluster/prod/app/email/build/docker-compose.yml
index 39d28bd..a726fb6 100644
--- a/cluster/prod/app/email/build/docker-compose.yml
+++ b/cluster/prod/app/email/build/docker-compose.yml
@@ -26,9 +26,9 @@ services:
     build:
       context: ./postfix
       args:
-        # https://packages.debian.org/fr/buster/postfix
-        VERSION: 3.4.14-0+deb10u1
-    image: superboum/amd64_postfix:v3
+        # https://packages.debian.org/fr/trixie/postfix
+        VERSION: 3.8.4-1
+    image: superboum/amd64_postfix:v4
 
   opendkim:
     build:
diff --git a/cluster/prod/app/email/build/postfix/Dockerfile b/cluster/prod/app/email/build/postfix/Dockerfile
index 0c74fdc..174b636 100644
--- a/cluster/prod/app/email/build/postfix/Dockerfile
+++ b/cluster/prod/app/email/build/postfix/Dockerfile
@@ -1,4 +1,4 @@
-FROM amd64/debian:buster
+FROM amd64/debian:trixie
 
 ARG VERSION
 
diff --git a/cluster/prod/app/email/config/postfix/main.cf b/cluster/prod/app/email/config/postfix/main.cf
index a83e5ec..5593716 100644
--- a/cluster/prod/app/email/config/postfix/main.cf
+++ b/cluster/prod/app/email/config/postfix/main.cf
@@ -77,7 +77,11 @@ smtpd_relay_restrictions =
   permit_mynetworks
   reject_unauth_destination
 
-smtpd_data_restrictions = reject_unauth_pipelining
+# Disable SMTP smuggling attacks
+# https://www.postfix.org/smtp-smuggling.html
+smtpd_forbid_unauth_pipelining = yes
+smtpd_discard_ehlo_keywords = chunking
+smtpd_forbid_bare_newline = yes
 
 smtpd_client_connection_rate_limit = 2