SMTP Smuggling in Zimbra Postfix a technical deepdive

E-mail providers like Microsoft Exchange Online and GMX allowed to pass <LF>.<CR><LF> sequence unfiltered from their outbound (sending mails) SMTP server to the inbound (receiving mails) SMTP server (postfix in our case).

In the case of Postfix serving as an outbound/inbound (sending mails/receiving mails) server, it does not ignore the sequence ‘<LF>.<CR><LF>’; rather, it interprets ‘<LF>.<CR><LF>’ as an end-of-data sequence. Postfix as an outbound (sending mails) server doesn’t allow the sequence <LF>.<CR><LF> to pass unfiltered, in contrast to the behaviour observed in Exchange Online and GMX. Consequently, attempting to send spoofed emails via Postfix to other mail servers using the <LF>.<CR><LF> sequence is ineffective.

Therefore, when searching for SMTP smuggling vulnerabilities, it’s essential to examine both outbound and inbound aspects.

Now, if we’re sending an e-mail from Exchange Online or GMX with <LF>.<CR><LF> sequence to Postfix (inbound/receiving mail server), Postfix may interpret this sequence as an end-of-data sequence and can break out of the message data, allowing for the sending of multiple emails. This requires the postfix to accept multiple SMTP commands in a batch, or so-called SMTP pipelining. This was the case for Postfix, Sendmail, Cisco Secure Email and probably other servers. Hence, SMTP smuggling worked from Exchange Online or GMX to Postfix.

It was possible to send a phishing e-mail from via SMTP smuggling to postfix. Microsoft and GMX have patched this issue promptly. Notably, Zimbra’s default configuration of Postfix does not have SMTP pipelining enabled. The solution to disable BDAT support has already been communicated as a fix.\\

Some customers are expressing concerns that the Postfix server may still be vulnerable despite applying the recommended settings and restarting the MTA. There are several tools available for checking SMTP smuggling, but their reliability varies. Here is a good one that you may find useful:

“I just want to see if someone can send me spoofed e-mails via SMTP smuggling?” In that case, go ahead to “Scan postfix as inbound SMTP server”.

Zimbra will be upgrading to Postfix 3.6.14 in the April patch release for Zimbra 10

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures