We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
Reserved 2023-12-24 | Published 2023-12-24 | Updated 2024-08-02 | Assigner mitrewww.postfix.org/smtp-smuggling.html
sec-consult.com/...mtp-smuggling-spoofing-e-mails-worldwide/
www.openwall.com/lists/oss-security/2023/12/24/1 ([oss-security] 20231224 Re: Re: New SMTP smuggling attack)
www.openwall.com/lists/oss-security/2023/12/25/1 ([oss-security] 20231225 Re: Re: New SMTP smuggling attack)
bugzilla.redhat.com/show_bug.cgi?id=2255563
access.redhat.com/security/cve/CVE-2023-51764
fahrplan.events.ccc.de/...ss/2023/fahrplan/events/11782.html
github.com/eeenvik1/CVE-2023-51764
github.com/duy-31/CVE-2023-51764
www.youtube.com/watch?v=V8KPV96g1To
lists.fedoraproject.org/...QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/ (FEDORA-2024-c839e7294f)
lists.fedoraproject.org/...JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/ (FEDORA-2024-5c186175f2)
www.openwall.com/lists/oss-security/2024/01/22/1
www.postfix.org/announcements/postfix-3.8.5.html
lists.debian.org/debian-lts-announce/2024/01/msg00020.html ([debian-lts-announce] 20240130 [SECURITY] [DLA 3725-1] postfix security update)
www.openwall.com/lists/oss-security/2024/05/09/3 ([oss-security] 20240508 Re: New SMTP smuggling attack)
Support options