info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SMTP email smuggling
369 views
Skip to first unread message
Alex H
Dec 18, 2023, 9:48:32 PM12/18/23
to
Curious if Sendmail is vulnerable to the "modified" end of data command as presented on the link below. I see no references to mailer daemons, just to a very limited set of providers/gateways on their timeline details. Hopefully this had been disclosed with Proofpoint already.
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Alex H
Dec 18, 2023, 9:58:22 PM12/18/23
to
I take the above back. I just glanced over parts of the blog, and there is a specific section stating most well-known mailer daemons, including Sendmail, are currently vulnerable: "After testing some popular e-mail software in their default configuration, it turned out that Postfix and Sendmail fulfil the requirements, are affected and can be smuggled to."
I guess the catch may be the sentence "in their default configuration". Perhaps there is a mitigation already there that just need to be turned on by default?
I guess the catch may be the sentence "in their default configuration". Perhaps there is a mitigation already there that just need to be turned on by default?
Claus Aßmann
Dec 22, 2023, 1:35:15 AM12/22/23
to
Alex H wrote:
> Perhaps there is a mitigation already there that just need to be turned
> on by default?
8.18.0.2
> Perhaps there is a mitigation already there that just need to be turned
> on by default?
Accept only CR LF . CR LF as end of an SMTP message as
required by the RFCs when the new srv_features
option 'o' is used.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
0 new messages