Jan Bludau
Basic Pleskian
Username:
TITLE
Patch: Postfix - 37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Debian 12, Postfix
PROBLEM DESCRIPTION
SMTP smuggling is a new attack technique
SMTP smuggling is a new attack technique that allows attackers to send fake emails that can bypass authentication mechanisms and spam filters. This technique was discovered and published in December 2023 by security researchers from SEC Consult.
SMTP stands for Simple Mail Transfer Protocol and is a standard protocol for sending and receiving emails on the Internet. SMTP is based on communication between SMTP servers that forward the emails and SMTP clients that send or receive the emails. The emails are divided into individual messages, each containing a header and a body. The header contains information such as the sender, recipient, date and subject of the email. The body contains the actual content of the email.
To mark the end of a message, a special string consisting of a period (.) followed by a newline is used. This string is called the End-of-Message (EOM). However, different SMTP implementations interpret this string differently. Some SMTP servers accept only a newline (\n), others only accept a carriage return (\r), and others accept both (\r\n). This creates an inconsistency between the SMTP servers that route the emails.
SMTP Smuggling exploits this inconsistency by inserting a special string in the body of an email that consists of a period (\.) followed by a carriage return (\r). This string is called the End-of-Header (EOH). If an SMTP server interprets this string as EOM, it will truncate the email after this string and forward it to the next SMTP server. However, if the next SMTP server does not interpret this string as EOM, it will truncate the email after the next period (\.) and forward it to the next SMTP server.
In this way, a single email can be split into multiple emails, each with a different header. The attacker can manipulate the header to spoof the sender, bypass authentication mechanisms such as SPF, DKIM and DMARC, or remove warnings such as spam flags. This can lead to various social engineering or phishing attacks where the recipient believes they are receiving a legitimate email from a trusted source.
How to protect yourself from SMTP smuggling? One option is to configure SMTP servers to accept only a uniform string for the EOM (\r\n.\r\n) and reject all other variants. Another option is to configure SMTP clients so that they do not insert additional periods (\.) in the body of an email. Some large companies such as Microsoft and GMX have already secured their mail services against SMTP smuggling.
SMTP Smuggling is a new and dangerous attack technique that exploits the old and widely used SMTP protocol. It is important to educate yourself about this technology and take appropriate protective measures.
Patch: Postfix
37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
STEPS TO REPRODUCE
Version 18.0.57 Update #5,, installed
Debian 12.4
ACTUAL RESULT
SMTP Smuggling possible
EXPECTED RESULT
SMTP Smuggling not possible
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Patch: Postfix - 37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Debian 12, Postfix
PROBLEM DESCRIPTION
SMTP smuggling is a new attack technique
SMTP smuggling is a new attack technique that allows attackers to send fake emails that can bypass authentication mechanisms and spam filters. This technique was discovered and published in December 2023 by security researchers from SEC Consult.
SMTP stands for Simple Mail Transfer Protocol and is a standard protocol for sending and receiving emails on the Internet. SMTP is based on communication between SMTP servers that forward the emails and SMTP clients that send or receive the emails. The emails are divided into individual messages, each containing a header and a body. The header contains information such as the sender, recipient, date and subject of the email. The body contains the actual content of the email.
To mark the end of a message, a special string consisting of a period (.) followed by a newline is used. This string is called the End-of-Message (EOM). However, different SMTP implementations interpret this string differently. Some SMTP servers accept only a newline (\n), others only accept a carriage return (\r), and others accept both (\r\n). This creates an inconsistency between the SMTP servers that route the emails.
SMTP Smuggling exploits this inconsistency by inserting a special string in the body of an email that consists of a period (\.) followed by a carriage return (\r). This string is called the End-of-Header (EOH). If an SMTP server interprets this string as EOM, it will truncate the email after this string and forward it to the next SMTP server. However, if the next SMTP server does not interpret this string as EOM, it will truncate the email after the next period (\.) and forward it to the next SMTP server.
In this way, a single email can be split into multiple emails, each with a different header. The attacker can manipulate the header to spoof the sender, bypass authentication mechanisms such as SPF, DKIM and DMARC, or remove warnings such as spam flags. This can lead to various social engineering or phishing attacks where the recipient believes they are receiving a legitimate email from a trusted source.
How to protect yourself from SMTP smuggling? One option is to configure SMTP servers to accept only a uniform string for the EOM (\r\n.\r\n) and reject all other variants. Another option is to configure SMTP clients so that they do not insert additional periods (\.) in the body of an email. Some large companies such as Microsoft and GMX have already secured their mail services against SMTP smuggling.
SMTP Smuggling is a new and dangerous attack technique that exploits the old and widely used SMTP protocol. It is important to educate yourself about this technology and take appropriate protective measures.
Patch: Postfix
37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
STEPS TO REPRODUCE
Version 18.0.57 Update #5,, installed
postfix | 3.7.9-0+deb12u1 |
ACTUAL RESULT
SMTP Smuggling possible
EXPECTED RESULT
SMTP Smuggling not possible
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug