https://bugs.exim.org/show_bug.cgi?id=3063
Viktor Dukhovni <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Viktor Dukhovni <[email protected]> --- Does Exim enforce pipelining conformance by default? That is, what is the default behaviour of Exim when an SMTP client expedites some data before receiving a reply to a command (e.g. *DATA*) that should be the *last* in a pipeline group? Also, I should note that (as specified in RFC1830) BDAT is NOT the last command in a pipeline group, and so Exim will accept two messages via a transaction of the form: MAIL FROM:<sender> RCPT TO:<nobody> DATA From: Some Sender <sender> To: Discarded Rcpt <nobody> Subject: ... <Some Message> <LF>.<LF> MAIL FROM:<forged-sender> RCPT TO:<real-rcpt> BDAT <length> LAST From: Forged Sender <forged-sender> To: Real Rcpt <real-rcpt> Subject: Wire all your assets to me <Phishing attack> QUIT It is sadly legal to pipeline any number of messages without any pauses with BDAT. So provided the upstream system does not support CHUNKING, and treats non-standard line endings (<LF>.<LF> or <LF>.<CR><LF>) as normal message content to be sent verbatim, the SMTP smuggling scenario will work with that system as the sending and Exim as the receiving MTA. -- You are receiving this mail because: You are on the CC list for the bug. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
