Mailing List Archive

Hi,

Am Fr den 22. Dez 2023 um 11:37 schrieb Bjoern Franke via Exim-users:
> I didn't see anything in the archives regarding this:
>
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
>
> exim is not mentioned, so it's not affected?

Well, there are two things why exim is not "affected".

1. This is a normal behaviour of a MTA. Accepting multiple mails in
incoming connection is common. However, in exim you can prevent that
by only accepting one mail per connection.

2. It is the job of an MTA preventing a normal mail to escape to the
command level. So if the sending MTA allows that, it is an error in
that MTA, not in the receiving one.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

On 12/22/23 10:37, Bjoern Franke via Exim-users wrote:
> exim is not mentioned, so it's not affected?

There's discussion as to whether it's really a useful attack.
Exim cannot be used as the first relay, but can be the second site.

As is commonly the case, the major issue is compatibility with
non-standards-conforming systems which *was* needed in the past.
Tightening the screws may break existing installations.

Some changes in that direction are already available.

--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 22.12.23 um 11:37 schrieb Bjoern Franke via Exim-users:
> Hi,
>
> I didn't see anything in the archives regarding this:
>
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
>
>

Ok, i have issues seeing this as an "attack" at all, as you just can use
the "evil" FROM as the first one and  just send one mail.

This could only be an issue, if the receiver trusts the senders
mailserver to have trusted/verified senderadresses in the first place.


BTW:

Is there any exim build-in way to overwrite the mail_header_from after
the sender has used "." and the moment the email gets transported other
than a filter?

Best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, Dec 23, 2023 at 10:27:02AM +0000, Jeremy Harris via Exim-users wrote:

> As is commonly the case, the major issue is compatibility with
> non-standards-conforming systems which *was* needed in the past.
> Tightening the screws may break existing installations.

> Some changes in that direction are already available.

An intriguing statement ;-) Available in 4.97, on master, on another
branch? Are there build time or run time configuration setting changes
needed to enable taking an installation in that direction?

I already disable pipelining and chunking. Anything else I can do to
get the strictest, most boring implementation of SMTP possible? I have
no need to cater to broken clients.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 12/23/23 19:15, Ian Z via Exim-users wrote:
> On Sat, Dec 23, 2023 at 10:27:02AM +0000, Jeremy Harris via Exim-users wrote:
>> Some changes in that direction are already available.
>
> An intriguing statement ;-) Available in 4.97, on master, on another
> branch?

In the git master.

> Are there build time or run time configuration setting changes
> needed to enable taking an installation in that direction?
>
> I already disable pipelining and chunking. Anything else I can do to
> get the strictest, most boring implementation of SMTP possible? I have
> no need to cater to broken clients.

Sure. You'd need to fine-tooth both the Makefile and your config,
thinking hard about every feature and the relation to your security
posture.

I can't really advise on specifics. For example, just supporting
TLS is a massive increase in compiled code and therefore attack surface.
Personally I prefer to have it available, but YMMV.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/