Advisory No: TZCERT/SA/2023/01/08
Date of First Release: 8th January 2024
Source: SMTP servers
Software Affected: POSTFIX in SMTP
The vulnerability exists because a flaw was found in some SMTP server configurations in Postfix. This issue may allow a remote attacker to break out of the email message data to “smuggle” SMTP commands and send spoofed emails that pass SPF checks.
By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails – hence SMTP smuggling – while still passing SPF alignment checks.
Through exploiting variations in the interpretation of the SMTP protocol, it becomes feasible to transmit or send spoofed e-mails, a phenomenon known as SMTP smuggling, while still passing SPF alignment checks.
During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains (e.g., admin[@]outlook.com) to millions of receiving SMTP servers.
Successful exploitation of this vulnerability may allow a remote attacker to break out of the email message data to “smuggle” SMTP commands and send spoofed emails that pass SPF checks.
A workaround for this vulnerability has been released. Users and administrators are encouraged to apply necessary updates.