We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)




Assigner:mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca)


Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

References ([oss-security] 20231224 Re: Re: New SMTP smuggling attack) mailing-list ([oss-security] 20231225 Re: Re: New SMTP smuggling attack) mailing-list (FEDORA-2024-c839e7294f) vendor-advisory (FEDORA-2024-5c186175f2) vendor-advisory ([debian-lts-announce] 20240130 [SECURITY] [DLA 3725-1] postfix security update) mailing-list ([oss-security] 20240508 Re: New SMTP smuggling attack) mailing-list CVE-2023-51764 CVE-2023-51764

Download JSON

Share this page