|What is Smtp Smuggling and Tips on Testing Your Server
|1/3/24 8:38 AM
|Last modified on:
|1/11/24 10:42 AM
Using SMTP Smuggling, a malicious user can smuggle an email inside another email message. The outer message is often harmless. The smuggled message could be potentially dangerous and can pretend to be coming from a legitimate source, as that will pass SPF, DMARC, and DKIM. SEC Consult discovered this vulnerability around November 2023; according to them, it affects many popular email servers. This page discusses how to test your email server to ensure you're not affected.
Engineers at Postfix did an excellent job summarizing the problem; therefore, we will skip most of the technical jargon. Suffice it to say that this vulnerability exploits how emails are separated from each other when sent in a single network connection. Every SMTP server has an input and an output. A single incoming email must result in only one outgoing message. If your server is affected by this vulnerability, it could generate two or more messages through its output for that single incoming message. These additional messages are called as "Smuggled" and will appear to originate from your server following every best practice you have deployed on your end.
Additionally, the original blog published by SEC Consult is a bit long. If you want to skim through it, we recommend reading the section on how email servers handle <LF>.<LF> character sequence.
It is also important to note that this vulnerability involves two servers. In other words, you must send an outbound email to another server, such as Gmail, Hotmail, or others, to determine if you're affected.
Engineers at Synametrics wrote a tiny testing utility that can help you confirm if your server is vulnerable. This test utility is written in Java and is published along with its source code. Follow the instructions below on how to use it.
There are four actors in this utility:
The testing utility sends one or two emails, depending on whether your email server supports CHUNKING. Your server is vulnerable if an email is sent to Smuggled Recipient's address. Use the following command to run it.
java -jar SmtpSmugglingTester.jar [-v] OPTIONS
|Email address for the original sender. This should be a valid address in your domain.
|Email address for the original recipient. This should be a valid address somewhere on the Internet.
|Email address for the smuggled sender. This should be an address in your domain but different than what you specified for original sender.
|Email address for the smuggled recipient. This should be an address on the Internet but different than what you specified for original recipient.
|IP address/host name of your SMTP server. If missing
localhost is assumed.
|TCP/IP port. A value of 25 is assumed if this is missing.
|Verbose. If present communication between this utility and the SMTP server will be printed on the screen.
java -jar SmtpSmugglingTester.jar -os email@example.com -or firstname.lastname@example.org -ss email@example.com -sr firstname.lastname@example.org
Although Xeams is not affected by this vulnerability, there is room for improvment. In technical terms, Xeams performs Dot-stuffing along with replacing
<CRLF>.<CRLF>, as suggested by
A better approach, however, is what Postfix will be doing for their long-term solution: terminate network connection if an incorrect line termination sequence is provided by the client. Therefore, the next version of Xeams, which is expected to be released towards end of January 2024, will have a configuration parameter allowing Xeams to terminate connection if an SMTP client does not use rfc compliant line terminators.
Terminating client connections could have unintended consequences, particularly if you have some legacy software, or scripts running on Linux/Unix sending outbound emails. Therefore, this option will be turned OFF by default.
Do you have a helpful tip related to this document that you'd like to share with other users?