We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Assigner | mitre |
Reserved | 2023-12-24 |
Published | 2023-12-24 |
Updated | 2024-08-02 |
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
https://www.postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
http://www.openwall.com/lists/oss-security/2023/12/24/1 ([oss-security] 20231224 Re: Re: New SMTP smuggling attack)
http://www.openwall.com/lists/oss-security/2023/12/25/1 ([oss-security] 20231225 Re: Re: New SMTP smuggling attack)
https://bugzilla.redhat.com/show_bug.cgi?id=2255563
https://access.redhat.com/security/cve/CVE-2023-51764
https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html
https://github.com/eeenvik1/CVE-2023-51764
https://github.com/duy-31/CVE-2023-51764
https://www.youtube.com/watch?v=V8KPV96g1To
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/ (FEDORA-2024-c839e7294f)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/ (FEDORA-2024-5c186175f2)
https://lwn.net/Articles/956533/
https://www.openwall.com/lists/oss-security/2024/01/22/1
https://www.postfix.org/announcements/postfix-3.8.5.html
https://lists.debian.org/debian-lts-announce/2024/01/msg00020.html ([debian-lts-announce] 20240130 [SECURITY] [DLA 3725-1] postfix security update)
http://www.openwall.com/lists/oss-security/2024/05/09/3 ([oss-security] 20240508 Re: New SMTP smuggling attack)