SMTP Smuggling

DRANK

[An updated version of this text may be found at Wietse VenemaLast update: December 24, 2023SummaryDays before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix or other affected systems.The net result appears to be that an unintended zero-day attack was published because some people weren't aware of the scope of the attack.DetailsThe attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than <CR><LF>:One email service A that does not recognize malformed line…