Bill Cole via Postfix-users:
> On 2023-12-18 at 11:31:47 UTC-0500 (Mon, 18 Dec 2023 16:31:47 +0000)
> Vijay S Sarvepalli via Postfix-users <vssarvepa...@cert.org>
> is rumored to have said:
>
> > Hello Viktor, Wietse,
> > (I am copying the Postfix community as the report is out in the public
> > now)
> >
> > First of all thank you for your help and response to highlight your
> > approach to this issue. This may not be the first time you have
> > observed types of abuse that relate to spoofing.
> >
> > This research work has now been published by Sec Consult company, see
> > link below .
>
> It is interesting that they seem to be unaware of some SMTP basics, such
> as the fact that message bodies, message headers, and the SMTP protocol
> have different format rules, defined in different RFCs that are clearly
> marked as such. They seem to think that the problem is grounded in
> legitimate misunderstanding of imprecise RFCs, when it seems clear to me
> that there's one right interpretation.
>
> That very much ruins my ability to take what they are saying seriously.
> I believe they tested against the proprietary systems cited and found
> the issue, I find it extremely suspect that they show no examples for
> Semndmail or Postfix, merely an assertion.
>
> > The Postfix issues the researcher mentions, we were not able to
> > actually reproduce
>
> This is unsuprising.
Perhaps, but the story is a more complicated, and that was not clear
at the time that this issue came up first.
The idea appears to be that some mail services will accept and
forward messages that contain a malformed end-of-data sequence
(<CR><LF>,<CR><LF> with one or more <CR> or <LF> missing), which
is then followed by well-formed SMTP commands to send email from a
spoofed sender to a victim recipient.
The crucial part is that the service will think that it is forwarding
one message in a single SMTP MAIL/RCPT/DATA transaction.
Some forwarding services might repair the malformed end-of-data
sequence while forwading the message. From the receiver's point
of view they receive two well-formed messages. This specific
form of the problem, if it exists at all, can be fixed only at
the forwarding server's end.
Some receiving servers including Postfix will treat a malformed
end-of-data sequence as a valid one, and will receive the smuggled
message as a SEPARATE message, which would be subject to relay
access checks just like the recipient of the non-smuggled message.
Relay checks will pass if the same SMTP service hosts both the
recipients of the non-smuggled and the smuggled message.
SPF checks will pass if the MAIL FROM sender of the smuggled
message is from a domain that is hosted at the forwarding mail
service. DKIM checks will find no signature.
The countermeasure that can be taken on the Postfix side:
- Don't accept mail with a broken end-of-data sequence (Postfix
currently allows zero or more <CR> followed by <LF>). Or more
generally, don't accept <CR> or <LF> that aren't part of a <CR><LF>
sequence. Postfix does not support BDAT with BINARYMIME, so there
is no valid use of stray <CR> or <LF> bytes.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
