Finally the two missing options against #smtpsmuggling arrived in #debian buster this morning.
https://security-tracker.debian.org/tracker/CVE-2023-51764
smtpd_forbid_bare_newline = normalize
and if needed:
smtpd_forbid_bare_newline_exclusions = $mynetworks
see
SPF-valid spoofed mail from admin@microsoft.com 
?
Timo Longin @login stumbled upon SMTP Smuggling while looking for vulnerabilities in the Simple Mail Transfer Protocol.
Great work and great talk!
#Smtp #SmtpSmuggling #TimoLongin #37c3
https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide
#smtpsmuggling ... Zumindest für #Debian #Bullseye ist die gefixte #postfix 3.5.23 in den Repos...
Neue Lücke in altem E-Mail-Protokoll: #SMTP smuggling | Security https://www.heise.de/news/Neue-Luecke-in-altem-E-Mail-Protokoll-SMTP-smuggling-9584467.html #SMTPsmuggling
Prescient words from RFC 2821, "Simple Mail Transfer Protocol". #smtpsmuggling https://www.ietf.org/rfc/rfc2821.txt
So, all in all, the whole #smtpsmuggling issue was based on clear-text protocols and servers/OSes that handle line ends differently? wow.. makes me even more a fan of binary protocols
#37c3
https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html
Wait? SEC Consult told closed-source providers like Microsoft months before about #SMTPSmuggling, but not #Postfix?
Capitalist bootlickers! Completely unacceptable!
I understand SEC's perspective. "We've told that central global organization that is super experienced in managing large scale security issues, they've told the vendors, but apparently nobody thinks this is a big deal, so yeah, let's publish the blog post then."
So, if what SEC says is true, then CERT/CC has fucked up. But of course SEC could've also talked to Postfix on their own. But why would they, CERT/CC already did.
This was all a big dumb game of telephone, it seems.
"Here's the problem."
"Here's why it's a problem."
"Here's how we inadvertently exacerbated one part of the problem."
"That bit admittedly sucked, and we're sorry for the trouble we caused."
That's good. That's how you do it.
"Sorry for ruining your Christmas, Wietse" (from Postfix) and something with penetration of the human body with dildos. The first 5 minutes of the #SMTPSmuggling talk at #37C3 does not disappoint. #sarcasm https://streaming.media.ccc.de/37c3/zuse
#smtpsmuggling erinnert mich dran, dass ich #oldstable #bullseye auf #stable #bookworm upgraden könnte/sollte.
(Was das Problem nicht löst, aber #Trixie scharrt ja auch schon langsam mit den Hufen, sollte den ungefähren 2-Jahres-Rhythmus nix brechen)
Hach, aber für so viel Aufregung hab ich grad keinen Nerv (ja, mich machen so dist-upgrades immer hoch nervös, sorry) und für ungeplante Ausfälle grad eher wenig Zeit (wie immer 
)
So kurzer aufschrieb wie man den Docker Mailserver halbwegs gegen SMTP Smuggling absichert:
https://blog.sengotta.net/docker-mailserver-gegen-smtp-smuggling-absichern/
#smtpsmuggling
Im Juni wird eine Sicherheitslücke entdeckt: Die zur Mailauslieferung notwendige "Zusammenarbeit" zwischen Mailservern lässt sich austricksen, um falsche Absender unterzujubeln. So wird #Spam und #Phishing Tür und Tor geöffnet.
Die Entdecker wissen von 11 Systemen (Mailprovider, Softwarehersteller), die betroffen sind. Informieren aber nur 3 davon. Ein Versuch der Klärung der Hintergründe vor dem #37C3-Vortrag heute.
#SMTPSmuggling
https://dnip.ch/2023/12/22/nicht-wirklich-responsible-disclosure-die-extraportion-spam-ueber-die-festtage/
https://waldvogel.family/@marcel/111622567290149119
Top gerade den neuen Mail Server in Betrieb genommen da kommt ne Sicherheitslücke die auch meiner Meinung nach nicht in korrekter Weise publiziert wurde. Wär schön wenn die MTA Entwickler mehr Zeit zum fixen gehabt hätte. Jetzt muss ich sehen wie ich das Übergangsweise im Docker Mailserver stopfe: https://www.postfix.org/smtp-smuggling.html #postfix #selfhosting #smtpsmuggling
In 24h + 40 minutes, the #SMTPSmuggling presentation by Timo Longin from SEC consult will start at #37C3. Maybe someone in the audience can ask about the weird shenanigans of not informing open source projects like postfix, exim, sendmail directly back in June and instead causing frantic hard work for them during Christmas. https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html
After having been informed by @mathieui that #Exim is also affected, I compiled a list of what #SECConsult documented and what has been found out in the meantime. SEC Consult documented 11 mail systems (software and/or providers; many with millions of accounts) vulnerable to some form of #SMTPSmuggling. But they only informed 3. With #Exim also vulnerable (apparently presumed "clean" by SEC Consult), the list is now 12.
https://netfuture.ch/2023/12/smtp-smuggling-status/
Everyone attending #SECConsult #TimoLongin's #37c3 #SMTPSmuggling talk
https://events.ccc.de/congress/2023/hub/en/event/smtp_smuggling_spoofing_e-mails_worldwide/
at least boo them for shitting the devs in the face right before holidays.
It’s always #DNS. Unless it is DOS v UNIX linefeeds ;) #SMTPSmuggling
