Clarify state of SMTP smuggling attack prevention about haraka HOT 7 CLOSED

My question is specifically about <LF>.<CR><LF>, I didn't see where the code ensures that newline before the dot is a CRLF and not just LF.

from haraka.

Tested

• Anything other than "\n.\r\n" will send a merged (proper and exploit part) email.
• \n.\r\n" ends the transaction and creates a new one - it has the same measures as the previous one.

It looks like this:

← ehlo check.smtpsmuggling.com\r\n
→ 250-mail.poste.io Hello ... is at your service\r\n
→ 250-PIPELINING\r\n
→ 250-8BITMIME\r\n
→ 250-SMTPUTF8\r\n
→ 250-SIZE 26214400\r\n
→ 250 STARTTLS\r\n

← mail FROM:<[email protected]> size=640\r\n
→ 250 sender <[email protected]> OK\r\n

← rcpt TO:<...>\r\n
→ 250 recipient <...> OK\r\n

← 'data\r\n
→ 354 go ahead, make my day\r\n
← From: [email protected]\r\nTo: ...\r\nSubject: CHECK EMAIL (\'\\n.\\r\\n\')\r\nDate: Sat, 09 Mar 2024 15:47:52 -0000\r\nMessage-ID: <[email protected]>\r\n\r\nTESTING \'\\n.\\r\\n\' as "fake" end-of-data sequence!\r\n\n.\r\n\r\nmail FROM:<[email protected]>\r\nrcpt TO:<...>\r\ndata\r\nFrom: [email protected]\r\nTo: ...\r\nSubject: SMUGGLED EMAIL (\'\\n.\\r\\n\')\r\nDate: Sat, 09 Mar 2024 15:47:52 -0000\r\nMessage-ID: <[email protected]>\r\n\r\nSMUGGLING WORKS with \'\\n.\\r\\n\' as "fake" end-of-data sequence!\r\n.\r\n
→ 250 Message Queued (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.1) (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.1)\r\n

→ 500 Unrecognized command\r\n
→ 250 sender <[email protected]> OK\r\n
→ 250 recipient <...> OK\r\n
→ 354 go ahead, make my day\r\n
→ 250 Message Queued (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.2) (9A1D4D7E-B97A-429E-987B-72EE4FBA859F.2)\r\n

This is not the case with Postfix, which only checks the first email. If the second and smuggled email would be problematic, Haraka would happily refuse to process it.

from haraka.

creating new transaction is dangerous because it will accept smuggled email

The point of this attack is to send email that should not be sent under normal circumstances. E.g. send proper email AND smuggle email that will later be DKIM signed and sent to the outside world without the restrictions that the previous email has. Creating a new transaction in Haraka means that every hook and every attribute will be run and checked in the same way as the previous email - Postfix will just pre-check the first headers, accept the whole package and then split it into two separate payloads.

I really don't know why "\n.\r\n" is used (qmail inspired?), but I see no danger in leaving it that way. I would rather not change those core parts that might affect compatibility. There is an old saying in our country - don't fix a toilet that doesn't leak.

from haraka.

according to a comment by @analogic in this discussion Haraka is unaffected.

from haraka.

thanks for investigating!

from haraka.

• \n.\r\n" ends the transaction and creates a new one

Probably safer to report error (to the logs) and reset TCP connection in this case? Just <LF>.<CR><LF> is not a proper way to end the mail, creating new transaction is dangerous because it will accept smuggled email and continuing to process as a single mail is dangerous because it may send next mail to wrong recipient. Clients should never send <CR><LF><LF>.<CR><LF> or anything like this.

from haraka.

E.g. send proper email AND smuggle email that will later be DKIM signed and sent to the outside world without the restrictions that the previous email has.

See table at https://smtpsmuggling.com/, Exchange Online allowed to insert "\n.\r\n" into outgoing mail. If [email protected] sends a mail that is split into two and includes second transaction with a mail from [email protected], Haraka will accept it as a mail from bob while alice never authenticated as bob to outlook.com. Such mail will be sent from the same outlook.com server, and while not having a DKIM signature (SMTP smuggling is not about attacking the outgoing server and making it sign the mail with DKIM) it will pass SPF check. If you allow splitting the mail with "\n.\r\n", outgoing servers that still pass such sequence through (even if outlook.com may be fixed) can be tricked into sending any mail from their IP address to your server.

The attack is to find any outgoing email server that passes "\n.\r\n" in the email body through and send split mail from such server to Haraka. If Haraka treats this as two separate emails, it will accept the second mail and SPF check for it will pass even though outgoing server never authenticated second email or even processed it in any way other than passing it through.

from haraka.