christoph ender's

blog

saturday the 27th of january, 2024

smtp smuggling

At the end of 2023, news about a novel kind of attack on SMTP servers was published: SEC Consult found a way to concatenate multiple e-mails in a way that made many systems process the second mail as if it had been submitted on it's own – along with all the privileges that were granted for the submission of the first one. While the MTA itself isn't attacked, this can be used to make any affected mail server act like an open relay.

For testing, I found the SMTP Smuggling Tools – implemented in Python – and Xeams test – a Java implementation – very useful to test various servers.

Apparently due to some misunderstanding with CERT, free projects like Postfix were notified just before christmas, although others like Microsoft got the information as early as June (it still took Microsoft more than two months to fix the problem for Exchange Online), leading to a few non-amused comments on the corresponding Postfix SMTP Smuggling page.

In Postfix, mature fixes are available for versions 3.8.5, 3.7.10, 3.6.14 and 3.5.24 – see the Postfix SMTP Smuggling page for more details – and activated in main.cf using:

smtpd_forbid_bare_newline = normalize