[LOGO]

SMTP Smuggling

[An updated version of this text may be found at https://www.postfix.org/smtp-smuggling.html]

Author: Wietse Venema

Last update: January 22, 2024

Summary

Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.

Technically, the attack explots END-OF-DATA confusion by sending <LF>.<LF> or <LF>.<CR><LF> instead of the standard sequence <CR><LF>.<CR><LF>. The vulnerability was introduced many decades ago in Sendmail, by allowing the non-standard <LF> line ending in addition to the standard <CR><LF>. For compatibility with programs that expect Sendmail behavior, the non-standard <LF> line ending was also allowed by other SMTP servers including Postfix and Exim.

Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix or other affected systems.

The net result: a presumably unintended zero-day attack was published because some people weren't aware of the scope of the attack.

After the attack was published, CVEs were assigned for Postfix, Sendmail, and Exim.

Details

The attack involves a COMPOSITION of two email services with specific differences in the way they handle non-standard forms of the SMTP End-of-DATA sequence:

Postfix is an example of email service B. Microsoft's outlook.com was an example of email service A.

Impact

Short-term workarounds

A short-term workaround can be deployed now, before the upcoming long holiday and associated production change freeze.

The idea is to reject unauthorised SMTP command pipelining (one network packet contains multiple lines with smuggled SMTP commands and message content), and to reject BDAT commands. That will stop many forms of the published attack (BDAT is part of the CHUNKING extension; it allows command pipelining that isn't allowed with the DATA command).

NOTE: this will block misuse of SMTP command pipelining. It will not block message pipelining (multiple MAIL transactions per session), nor will it block a malformed end of line. Malformed line endings are addressed with the long-term solution.

Compatibility: the setting "smtpd_forbid_unauth_pipelining = yes" or "smtpd_data_restrictions = reject_unauth_pipelining" may break legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare, especially when email is sent across the Internet.

Long-term fix

An updated long-term fix is available for Postfix 3.8.5, 3.7.10, 3.6.14 and 3.5.24. This stops all forms of the smuggling attacks on recipients at a Postfix server. It introduces a new optional feature that is disabled by default on Postfix versions < 3.9.

Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure.

An older long-term fix recommended using "smtpd_forbid_bare_newline = yes". Use that if you have Postfix 3.8.4, 3.7.9, 3.6.13 or 3.5.23. That setting still protects later Postfix versions against SMTP smuggling.

The recommended settings are:

main.cf:
    # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    # Otherwise, allow bare <LF> and process it as if the client sent
    # <CR><LF>.
    #
    # This maintains compatibility with many legitimate SMTP client
    # applications that send a mix of standard and non-standard line
    # endings, but will fail to receive email from client implementations
    # that do not terminate DATA content with the standard End-of-DATA
    # sequence <CR><LF>.<CR><LF>.
    #
    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    # The example below allowlists SMTP clients in trusted networks.
    #
    smtpd_forbid_bare_newline = normalize
    smtpd_forbid_bare_newline_exclusions = $mynetworks

Notes:

Fixes for older Postfix versions

First, the " Short-term workaround " will prevent all realistic smuggling scenarios, even if some audit tool claims otherwise.

That said, patches for no longer supported Postfix releases are available from the source code mirrors listed at the Postfix download webpage. See the "Smuggling patches for older releases" link at the top of a "Postfix Source Code" page.

Reach out to Wietse if you need to patch an older version.

False claims from test tools

Some test tools may make false vulnerability claims based on non-viable attack patterns. This topic is covered in a separate document.

Timeline

References

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/