Comments (7)
My question is specifically about <LF>.<CR><LF>
, I didn't see where the code ensures that newline before the dot is a CRLF and not just LF.
from haraka.
Tested
- Anything other than "\n.\r\n" will send a merged (proper and exploit part) email.
- \n.\r\n" ends the transaction and creates a new one - it has the same measures as the previous one.
It looks like this:
← ehlo check.smtpsmuggling.com\r\n
→ 250-mail.poste.io Hello ... is at your service\r\n
→ 250-PIPELINING\r\n
→ 250-8BITMIME\r\n
→ 250-SMTPUTF8\r\n
→ 250-SIZE 26214400\r\n
→ 250 STARTTLS\r\n
← mail FROM:<[email protected]> size=640\r\n
→ 250 sender <[email protected]> OK\r\n
← rcpt TO:<...>\r\n
→ 250 recipient <...> OK\r\n
← 'data\r\n
→ 354 go ahead, make my day\r\n
← From: [email protected]\r\nTo: ...\r\nSubject: CHECK EMAIL (\'\\n.\\r\\n\')\r\nDate: Sat, 09 Mar 2024 15:47:52 -0000\r\nMessage-ID: <[email protected]>\r\n\r\nTESTING \'\\n.\\r\\n\' as "fake" end-of-data sequence!\r\n\n.\r\n\r\nmail FROM:<[email protected]>\r\nrcpt TO:<...>\r\ndata\r\nFrom: [email protected]\r\nTo: ...\r\nSubject: SMUGGLED EMAIL (\'\\n.\\r\\n\')\r\nDate: Sat, 09 Mar 2024 15:47:52 -0000\r\nMessage-ID: <[email protected]>\r\n\r\nSMUGGLING WORKS with \'\\n.\\r\\n\' as "fake" end-of-data sequence!\r\n.\r\n
→ 250 Message Queued (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.1) (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.1)\r\n
→ 500 Unrecognized command\r\n
→ 250 sender <[email protected]> OK\r\n
→ 250 recipient <...> OK\r\n
→ 354 go ahead, make my day\r\n
→ 250 Message Queued (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.2) (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.2)\r\n
This is not the case with Postfix, which only checks the first email. If the second and smuggled email would be problematic, Haraka would happily refuse to process it.
from haraka.
creating new transaction is dangerous because it will accept smuggled email
The point of this attack is to send email that should not be sent under normal circumstances. E.g. send proper email AND smuggle email that will later be DKIM signed and sent to the outside world without the restrictions that the previous email has. Creating a new transaction in Haraka means that every hook and every attribute will be run and checked in the same way as the previous email - Postfix will just pre-check the first headers, accept the whole package and then split it into two separate payloads.
I really don't know why "\n.\r\n" is used (qmail inspired?), but I see no danger in leaving it that way. I would rather not change those core parts that might affect compatibility. There is an old saying in our country - don't fix a toilet that doesn't leak.
from haraka.
according to a comment by @analogic in this discussion Haraka is unaffected.
from haraka.
thanks for investigating!
from haraka.
- \n.\r\n" ends the transaction and creates a new one
Probably safer to report error (to the logs) and reset TCP connection in this case? Just <LF>.<CR><LF>
is not a proper way to end the mail, creating new transaction is dangerous because it will accept smuggled email and continuing to process as a single mail is dangerous because it may send next mail to wrong recipient. Clients should never send <CR><LF><LF>.<CR><LF>
or anything like this.
from haraka.
E.g. send proper email AND smuggle email that will later be DKIM signed and sent to the outside world without the restrictions that the previous email has.
See table at https://smtpsmuggling.com/, Exchange Online allowed to insert "\n.\r\n" into outgoing mail. If [email protected] sends a mail that is split into two and includes second transaction with a mail from [email protected], Haraka will accept it as a mail from bob while alice never authenticated as bob to outlook.com. Such mail will be sent from the same outlook.com server, and while not having a DKIM signature (SMTP smuggling is not about attacking the outgoing server and making it sign the mail with DKIM) it will pass SPF check. If you allow splitting the mail with "\n.\r\n", outgoing servers that still pass such sequence through (even if outlook.com may be fixed) can be tricked into sending any mail from their IP address to your server.
The attack is to find any outgoing email server that passes "\n.\r\n" in the email body through and send split mail from such server to Haraka. If Haraka treats this as two separate emails, it will accept the second mail and SPF check for it will pass even though outgoing server never authenticated second email or even processed it in any way other than passing it through.
from haraka.
Related Issues (20)
- release 3.0.4
- [Feedback needed] Execution control of plugins HOT 4
- Outbound - Fallback to MX's IPv4 when the MX's IPv6 is bogus HOT 2
- 550 Envelope domain 'domain.com' doesn't match AUTH domain 'null' HOT 8
- Spamhause warning HOT 1
- Bounces not working for me HOT 6
- OutboundTLS/plugin-redis missing logerror HOT 5
- Error: no PRIVATE key in /opt/haraka/config/tls/dhparams.pem HOT 10
- Sender verficiation failed HOT 3
- [core] TypeError: Cannot read properties of undefined (reading 'name') HOT 1
- Custom tx.notes.outbound_helo not working HOT 3
- Race condition error: listen EACCES: permission denied ::0:25
- Old clients: SSL issue and no_tls_hosts HOT 5
- Mail not being delivered to wildduck HOT 1
- Inbound specific TLS configuration stopped working HOT 1
- Does haraka support PGP/GPG or S/MIME?
- Mutliple IPs and PTR HOT 1
- double hook invocation
- queryMx critical error
- How to customize Message-ID suffix
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from haraka.