Haraka
"SMTP Smuggling - Spoofing E-Mails Worldwide" #3261
Closed
tabascoterrier
started this conversation in
General
Replies: 2 comments 5 replies
-
|
Haraka is not affected due bare LF handling. See http://haraka.github.io/barelf |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Excellent, that's great to hear! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This came to my attention via Postfix - apparently SEC have been sitting on this for months, didn't think to disclose it to Postfix even though they specifically call them out in their article, and now published just before the Christmas break which has understandably annoyed a lot of people.
The TL;DR as I understand it is manipulating the differences in how different email servers handle line endings to smuggle additional headers through, and potentially spoof senders even when DMARC checks exist.
I'm not sure about the implications for Haraka (if any), but I felt it worth mentioning. Pinging @msimerson for visibility, sorry about that :)
SEC article: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Postfix response: https://www.postfix.org/smtp-smuggling.html
My original source: https://zombofant.net/@jssfr/111618969359339789
Beta Was this translation helpful? Give feedback.
All reactions