Hello everyone,
On 19.12.23 13:31, Mark Alley via mailop wrote:
Hey all, recently saw this mail server SMTP vulnerability that popped up
on a blog yesterday. Sharing here for those interested.
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
On 03.01.2024 at 23:15 Brandon Long wrote:
Hmm, doesn't this also depend on improper handling of pipelining?
You can't pipeline past DATA,
https://datatracker.ietf.org/doc/html/rfc2920#section-3.1
I guess if the sender is sending line by line, maybe the server would only have
up to the
It appears that Brandon Long via mailop said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>Hmm, doesn't this also depend on improper handling of pipelining?
Yes. The postfix patch to fix this checks for early talking past data.
R's,
John
>You can't pipeline past DATA,
Hmm, doesn't this also depend on improper handling of pipelining?
You can't pipeline past DATA,
https://datatracker.ietf.org/doc/html/rfc2920#section-3.1
I guess if the sender is sending line by line, maybe the server would only
have up to the DATA in the tcp buffer and process the DATA before
If you're not using the newest (patched) version of Postfix smtpd, a
short-term workaround for the SMTP Smuggling problem was announced
today (2023-Dec-26) that "will stop many forms of the published
attack" from succeeding:
Postfix :: SMTP Smuggling :: Short-term
On Wed, Dec 20, 2023 at 14:49:20 +, Gellner, Oliver via mailop wrote:
> Postfix is potentially vulnerable as for compatibility with broken
> clients it accepts . as an end-of-data command. Well, at least
> it did, Wietse has introduced a flag which fixes this kind of message
> smuggling:
>
>
On 19.12.2023 at 13:31 Mark Alley via mailop wrote:
> Hey all, recently saw this mail server SMTP vulnerability that popped up on a
> blog yesterday. Sharing here for those interested.
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Thanks for sharing,
On Tue 19/Dec/2023 21:19:06 +0100 Marco Moock via mailop wrote:
Am 19.12.2023 um 17:20:20 Uhr schrieb Slavko via mailop:
Please, understand i properly, that it is no vulnerabiliy in SMTP
itself, but in (some) implementations/servers only?
According to the stuff I read, sendmail and Postfix
Am 19.12.2023 um 17:20:20 Uhr schrieb Slavko via mailop:
> Please, understand i properly, that it is no vulnerabiliy in SMTP
> itself, but in (some) implementations/servers only?
According to the stuff I read, sendmail and Postfix (and more) are
affected, for sendmail a patched version exists
On Tue, Dec 19, 2023, Slavko via mailop wrote:
> Please, understand i properly, that it is no vulnerabiliy in SMTP itself,
> but in (some) implementations/servers only?
The RFC is very precise about line endings and "end of message".
Some (legacy) MTAs try to be "nice" and accept other line
Dňa 19. decembra 2023 12:31:11 UTC používateľ Mark Alley via mailop
napísal:
>Hey all, recently saw this mail server SMTP vulnerability that popped up on
>a blog yesterday. Sharing here for those interested.
Please, understand i properly, that it is no vulnerabiliy in SMTP itself,
but in (some)
Hey all, recently saw this mail server SMTP vulnerability that popped up on
a blog yesterday. Sharing here for those interested.
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
-Mark Alley
___
mailop mailing list
12 matches
Mail list logo