Home > Security Bulletins > SMTP Smuggling

SMTP Smuggling

3rd January 2024

Happy New Year from the spotit SOC team!

Introduction

On 18th December, security researchers at SEC Consult published their research into an SMTP Smuggling vulnerability affecting many e-mail delivery solutions.

SMTP Smuggling exploits a backwards compatibility feature of the e-mail delivery solutions to allow the sending of spoofed e-mails. Vendors of affected solutions include Microsoft, Cisco, GMX/Ionos, Postfix, Sendmail, and others.

Postfix has now fixed their application and provided some clarity on the workings of the vulnerability:

The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than <CR><LF>:

  • One email service A that does not recognize malformed line endings in SMTP such as in <LF>.<CR><LF> in an email message from an authenticated attacker to a recipient at email service B, and that propagates those malformed line endings verbatim when it forwards that message to:
  • One different email service B that does support malformed line endings in SMTP such as in <LF>.<CR><LF>. When this is followed by “smuggled” SMTP MAIL/RCPT/DATA commands and message header plus body text, email service B is tricked into receiving two email messages: one message with the content before the <LF>.<CR><LF>, and one message with the “smuggled” header plus body text after the “smuggled” SMTP commands. All this when email service A sends only one message.

Postfix is an example of email service B. Microsoft’s outlook.com was an example of email service A.

Affected Solutions

  • Cisco Secure E-mail Cloud Gateway, formerly “Cisco Cloud E-mail Security” or “CES”
  • Microsoft Outlook/Exchange Online
  • iCloud
  • On-premises Microsoft Exchange Server
  • Postfix
  • Sendmail
  • Startmail
  • Fastmail
  • Zohomail

Mitigations

Cisco Secure E-mail Cloud Gateway should be configured as follows:

  • Change the setting for ‘CR and LF Handling’ to ‘Allow’.

The default ‘Clean’ setting enables Inbound SMTP Smuggling due to processing of the <CR>.<CR> end-of-data sequence.