[exim] SMTP smuggling and Exim
Hi, I didn't see anything in the archives regarding this: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ exim is not mentioned, so it's not affected? Regards Bjoern -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: SMTP smuggling and Exim
Hi, Am Fr den 22. Dez 2023 um 11:37 schrieb Bjoern Franke via Exim-users: > I didn't see anything in the archives regarding this: > > https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ > > exim is not mentioned, so it's not affected? Well, there are two things why exim is not "affected". 1. This is a normal behaviour of a MTA. Accepting multiple mails in incoming connection is common. However, in exim you can prevent that by only accepting one mail per connection. 2. It is the job of an MTA preventing a normal mail to escape to the command level. So if the sending MTA allows that, it is an error in that MTA, not in the receiving one. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: SMTP smuggling and Exim
On 12/22/23 10:37, Bjoern Franke via Exim-users wrote: exim is not mentioned, so it's not affected? There's discussion as to whether it's really a useful attack. Exim cannot be used as the first relay, but can be the second site. As is commonly the case, the major issue is compatibility with non-standards-conforming systems which *was* needed in the past. Tightening the screws may break existing installations. Some changes in that direction are already available. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: SMTP smuggling and Exim
Am 22.12.23 um 11:37 schrieb Bjoern Franke via Exim-users: Hi, I didn't see anything in the archives regarding this: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ Ok, i have issues seeing this as an "attack" at all, as you just can use the "evil" FROM as the first one and just send one mail. This could only be an issue, if the receiver trusts the senders mailserver to have trusted/verified senderadresses in the first place. BTW: Is there any exim build-in way to overwrite the mail_header_from after the sender has used "." and the moment the email gets transported other than a filter? Best regards, Marius -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: SMTP smuggling and Exim
On Sat, Dec 23, 2023 at 10:27:02AM +, Jeremy Harris via Exim-users wrote: > As is commonly the case, the major issue is compatibility with > non-standards-conforming systems which *was* needed in the past. > Tightening the screws may break existing installations. > Some changes in that direction are already available. An intriguing statement ;-) Available in 4.97, on master, on another branch? Are there build time or run time configuration setting changes needed to enable taking an installation in that direction? I already disable pipelining and chunking. Anything else I can do to get the strictest, most boring implementation of SMTP possible? I have no need to cater to broken clients. -- Ian -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: SMTP smuggling and Exim
On 12/23/23 19:15, Ian Z via Exim-users wrote: On Sat, Dec 23, 2023 at 10:27:02AM +, Jeremy Harris via Exim-users wrote: Some changes in that direction are already available. An intriguing statement ;-) Available in 4.97, on master, on another branch? In the git master. Are there build time or run time configuration setting changes needed to enable taking an installation in that direction? I already disable pipelining and chunking. Anything else I can do to get the strictest, most boring implementation of SMTP possible? I have no need to cater to broken clients. Sure. You'd need to fine-tooth both the Makefile and your config, thinking hard about every feature and the relation to your security posture. I can't really advise on specifics. For example, just supporting TLS is a massive increase in compiled code and therefore attack surface. Personally I prefer to have it available, but YMMV. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
