CVE-2023-51764

Published: 24 December 2023

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Notes

We will not be releasing updates for Lunar which is EoL on
2024-01-25

Mitigation

Patched versions of Postfix before 3.9 require the below configs for the
fix to apply:
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks

Status

Severity score breakdown

References

• https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
• https://www.openwall.com/lists/oss-security/2023/12/21/6
• https://www.postfix.org/smtp-smuggling.html
• https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html
• https://www.openwall.com/lists/oss-security/2023/12/22/3
• https://ubuntu.com/security/notices/USN-6591-1
• https://ubuntu.com/security/notices/USN-6591-2
• https://www.cve.org/CVERecord?id=CVE-2023-51764
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059230
• https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/2049337
• https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/2050834