This paper describes a clever hack that uses defective line endings to embed a second SMTP session inside a first one, which has the practical effect of letting you send fake authenticated mail from anyone else who uses the same mail system you do. If that system is MS Outlook, that's a lot of people.
The hack depends on embedding strings like <LF>.<CR><LF> in a message which a sending system doesn't recognize as needing dot stuffing, and a recipient system treats as end of data. The paper claims that Postfix falls for this trick. We might want to tighten up bare LF handling. These days does anything that's not a botnet send bare LFs without using BDAT? https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ R's, John _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
