oss-sec mailing list archives

Re: New SMTP smuggling attack

From: Claus Assmann <ml+oss () esmtp org>
Date: Thu, 21 Dec 2023 14:46:56 +0000

Just for completeness:
sendmail 8.18.0.2 has options to handle this too, e.g.,
        Accept only CR LF . CR LF as end of an SMTP message as
                required by the RFCs when the new srv_features
                option 'o' is used.

And for those who read the source code there's also an FFR:
        /* enable checking for "bare LF" in message */
        "_FFR_BARE_LF",

Current thread:

New SMTP smuggling attack Marcus Meissner (Dec 21)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
  - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
    - Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
    - Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
    - Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)

(Thread continues...)