notqmailWe're pleased to announce notqmail 1.09.<br><br>notqmail is the collaborative Open Source successor to qmail and netqmail. It begins with stable, compatible, small releases to which existing qmail users can safely update, and aims to become a more extensible, more easily packaged, and more modern Mail Transport Agent suitable for most needs.<br><br>qmail's design principles haven't _always_ prevented bugs or holes, nor have they _always_ made adding new functionality easy. But pretty often we get both. And that's why we continue to invest in this codebase.<br><br>Project goals that have made particular progress in the 1.09 release:<br><br>- Preserve qmail's hard-earned security properties<br>- Reduce marginal cost of development<br>- Make packaging easier<br>- Provide sensible defaults<br><br>Some well-known patches have been merged; others will need some adjustment.<br><br>Full release notes: <a href="https://notqmail.org/releases/1.09" rel="nofollow noopener" target="_blank">https://notqmail.org/releases/1.09</a><br><br>It's been almost four years since 1.08. Thanks for your patience. With continued focus on making development safer and faster, our next release will arrive much sooner. Feedback welcome, as always.<br><br><a href="https://social.notqmail.org?t=email" class="mention hashtag" rel="nofollow noopener" target="_blank">#email</a> <a href="https://social.notqmail.org?t=selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#selfhosting</a> <a href="https://social.notqmail.org?t=qmail" class="mention hashtag" rel="nofollow noopener" target="_blank">#qmail</a> <a href="https://social.notqmail.org?t=netqmail" class="mention hashtag" rel="nofollow noopener" target="_blank">#netqmail</a> <a href="https://social.notqmail.org?t=notqmail" class="mention hashtag" rel="nofollow noopener" target="_blank">#notqmail</a> <a href="https://social.notqmail.org?t=smtp" class="mention hashtag" rel="nofollow noopener" target="_blank">#smtp</a> <a href="https://social.notqmail.org?t=smtpsmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#smtpsmuggling</a> <a href="https://social.notqmail.org?t=mailserver" class="mention hashtag" rel="nofollow noopener" target="_blank">#mailserver</a><br>
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software.
If you wish to join, contact us for an invite.
Administered by:
Server stats:
8.6Kactive users
fosstodon.org: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#smtpsmuggling
0 posts · 0 participants · 0 posts today
Arthur Lutz (Zenika)<p>Pour le détail technique du SMTP Smuggling : <a href="https://smtpsmuggling.com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">smtpsmuggling.com/</span><span class="invisible"></span></a> </p><p>Et l'excellente présentation au CCC en décembre dernier : <a href="https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">media.ccc.de/v/37c3-11782-smtp</span><span class="invisible">_smuggling_spoofing_e-mails_worldwide</span></a></p><p><a href="https://pouet.chapril.org/tags/smtpSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smtpSmuggling</span></a> <a href="https://pouet.chapril.org/tags/smtp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smtp</span></a> <a href="https://pouet.chapril.org/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p>
Arthur Lutz (Zenika)<p>🏆 Achievement unlocked : être crédité comme "Reporter" sur un advisory de sécurité Github 🔒</p><p><a href="https://github.com/postalserver/postal/security/advisories/GHSA-j42r-6c99-hqf2" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/postalserver/postal</span><span class="invisible">/security/advisories/GHSA-j42r-6c99-hqf2</span></a></p><p>👏 to <span class="h-card" translate="no"><a href="https://infosec.exchange/@login" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>login</span></a></span> for all the hard work</p><p><a href="https://pouet.chapril.org/tags/smtpSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smtpSmuggling</span></a> <a href="https://pouet.chapril.org/tags/smtp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smtp</span></a> <a href="https://pouet.chapril.org/tags/postal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>postal</span></a> <a href="https://pouet.chapril.org/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>email</span></a> <a href="https://pouet.chapril.org/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://pouet.chapril.org/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a></p>
Timo Tijhof<p>Timo Longin <span class="h-card" translate="no"><a href="https://infosec.exchange/@login" class="u-url mention">@<span>login</span></a></span> introduces SMTP smuggling, a novel technique to spoof fully SPF-validated emails from various popular domains including @microsoft.com.</p><p>Wow. It's incredible nobody found this before. It's the first of its kind. Probably not the last...!</p><p><a href="https://youtu.be/V8KPV96g1To" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">youtu.be/V8KPV96g1To</span><span class="invisible"></span></a></p><p>Related:<br /><a href="https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">media.ccc.de/v/37c3-11782-smtp</span><span class="invisible">_smuggling_spoofing_e-mails_worldwide</span></a><br /><a href="https://www.postfix.org/smtp-smuggling.html" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="">postfix.org/smtp-smuggling.html</span><span class="invisible"></span></a><br /><a href="https://www.malwarebytes.com/blog/news/2024/01/explained-smtp-smuggling" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">malwarebytes.com/blog/news/202</span><span class="invisible">4/01/explained-smtp-smuggling</span></a></p><p><a href="https://fosstodon.org/tags/SmtpSmuggling" class="mention hashtag" rel="tag">#<span>SmtpSmuggling</span></a> <a href="https://fosstodon.org/tags/37C3" class="mention hashtag" rel="tag">#<span>37C3</span></a> <a href="https://fosstodon.org/tags/SMTP" class="mention hashtag" rel="tag">#<span>SMTP</span></a> <a href="https://fosstodon.org/tags/vulnerability" class="mention hashtag" rel="tag">#<span>vulnerability</span></a> <a href="https://fosstodon.org/tags/infosec" class="mention hashtag" rel="tag">#<span>infosec</span></a> <a href="https://fosstodon.org/tags/TimoLongin" class="mention hashtag" rel="tag">#<span>TimoLongin</span></a> <a href="https://fosstodon.org/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p>
Florian Bierhoff<p>It's a wrap! 🌯 Our technical guideline "BSI TR-03108 (Secure Email Transport)" is now accompanied by "BSI TR-03182 (Email Authentication)" providing guidance for email services to protect their users against impersonation attacks like Spoofing and Phishing :flan_mask:</p><p><a href="https://bsi.bund.de/dok/tr-03182-en" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">bsi.bund.de/dok/tr-03182-en</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/TeamBSI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TeamBSI</span></a> <a href="https://infosec.exchange/tags/EmailAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EmailAuthentication</span></a> <a href="https://infosec.exchange/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://infosec.exchange/tags/DMARC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DMARC</span></a> <a href="https://infosec.exchange/tags/DKIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DKIM</span></a> <a href="https://infosec.exchange/tags/SPF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SPF</span></a> <a href="https://infosec.exchange/tags/SMTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTP</span></a> <a href="https://infosec.exchange/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a></p>
d0rk ✅<p>Finally the two missing options against <a href="https://mastodon.social/tags/smtpsmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smtpsmuggling</span></a> arrived in <a href="https://mastodon.social/tags/debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>debian</span></a> buster this morning.</p><p><a href="https://security-tracker.debian.org/tracker/CVE-2023-51764" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security-tracker.debian.org/tr</span><span class="invisible">acker/CVE-2023-51764</span></a></p><p>smtpd_forbid_bare_newline = normalize</p><p>and if needed:</p><p>smtpd_forbid_bare_newline_exclusions = $mynetworks</p><p>see</p><p><a href="https://www.postfix.org/smtp-smuggling.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">postfix.org/smtp-smuggling.htm</span><span class="invisible">l</span></a></p>
Matt Willemsen<p>Explained: SMTP smuggling<br><a href="https://www.malwarebytes.com/blog/news/2024/01/explained-smtp-smuggling" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malwarebytes.com/blog/news/202</span><span class="invisible">4/01/explained-smtp-smuggling</span></a> <a href="https://mastodon.social/tags/explainer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>explainer</span></a> <a href="https://mastodon.social/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a> <a href="https://mastodon.social/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>email</span></a> <a href="https://mastodon.social/tags/spoofing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spoofing</span></a> <a href="https://mastodon.social/tags/cybercriminals" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercriminals</span></a> <a href="https://mastodon.social/tags/Cisco" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cisco</span></a></p>
Lukas Rotermund<p>SPF-valid spoofed mail from admin@microsoft.com 😈 ?</p><p>Timo Longin <span class="h-card" translate="no"><a href="https://infosec.exchange/@login" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>login</span></a></span> stumbled upon SMTP Smuggling while looking for vulnerabilities in the Simple Mail Transfer Protocol. </p><p>Great work and great talk!</p><p><a href="https://social.tchncs.de/tags/Smtp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Smtp</span></a> <a href="https://social.tchncs.de/tags/SmtpSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmtpSmuggling</span></a> <a href="https://social.tchncs.de/tags/TimoLongin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TimoLongin</span></a> <a href="https://social.tchncs.de/tags/37c3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>37c3</span></a> </p><p><a href="https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">media.ccc.de/v/37c3-11782-smtp</span><span class="invisible">_smuggling_spoofing_e-mails_worldwide</span></a></p>
Marc Michalsky<p>Ich: »Ich habe gerade mal getestet, ob Ihr für <a href="https://chaos.social/tags/SmtpSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmtpSmuggling</span></a> anfällig seid, aber anscheinend kann ich auch einfach so Mails als jeder beliebige Absender über Eure Server verschicken.«</p><p>Mail-Provider: »Ja, das ist ganz normales Phishing, aber das ist so gewollt, damit man mit mehreren Absendern dasselbe Sammelpostfach bedienen kann.«</p><p>Ich: »Es ist gewollt, dass ich mich als Ihr oder jeder Eurer anderen Kunden ausgeben kann? Inklusive gültiger DKIM-Signatur?«</p><p>Mail-Provider: 🤷♂️</p><p>Es gibt so Tage...</p>
zl2tod<p><span class="h-card" translate="no"><a href="https://mastodon.sdf.org/@ParadeGrotesque" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ParadeGrotesque</span></a></span> <br>The patch for CVE-2023-51766, <a href="https://mastodon.online/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a> in Exim4, just landed in Debian.<br><a href="https://security-tracker.debian.org/tracker/source-package/exim4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security-tracker.debian.org/tr</span><span class="invisible">acker/source-package/exim4</span></a></p>
Andy<p>Long planned, but now with enhanced motivation due to <a href="https://tux.social/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a> attack I finally replaced my old <a href="https://tux.social/tags/EMailServer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EMailServer</span></a> based on <a href="https://tux.social/tags/Postfix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Postfix</span></a> and applied the workarounds.</p><p>Beside that I completely replaced the server hardware and all the VMs for Calendar, Files and Web (last one still WIP).</p><p>🔗 <a href="https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">sec-consult.com/blog/detail/sm</span><span class="invisible">tp-smuggling-spoofing-e-mails-worldwide/</span></a></p><p>🔗 <a href="https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">media.ccc.de/v/37c3-11782-smtp</span><span class="invisible">_smuggling_spoofing_e-mails_worldwide</span></a></p><p>🔗 <a href="https://www.postfix.org/smtp-smuggling.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">postfix.org/smtp-smuggling.htm</span><span class="invisible">l</span></a></p>
Marcel SIneM(S)US<p>Neue Lücke in altem E-Mail-Protokoll: <a href="https://social.tchncs.de/tags/SMTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTP</span></a> smuggling | Security <a href="https://www.heise.de/news/Neue-Luecke-in-altem-E-Mail-Protokoll-SMTP-smuggling-9584467.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/news/Neue-Luecke-in-a</span><span class="invisible">ltem-E-Mail-Protokoll-SMTP-smuggling-9584467.html</span></a> <a href="https://social.tchncs.de/tags/SMTPsmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPsmuggling</span></a></p>
zl2tod<p><span class="h-card" translate="no"><a href="https://mastodon.sdf.org/@ParadeGrotesque" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ParadeGrotesque</span></a></span> <br>The patch for <a href="https://mastodon.online/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a> just landed in Debian Bullseye:<br>* 3.5.23 (Closes: #1059230)<br>- Addresses CVE-2023-51764, requires configuration change<br>- Security: with "smtpd_forbid_bare_newline = yes" (default "no" for Postfix < 3.9), reply with "Error: bare <LF> received" and disconnect when an SMTP client sends a line ending in <LF>, violating the RFC 5321 requirement that lines must end in <CR><LF>. This prevents SMTP smuggling attacks that target ...<br><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059230" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bugs.debian.org/cgi-bin/bugrep</span><span class="invisible">ort.cgi?bug=1059230</span></a></p>
Markus 👨💻<p><a href="https://mastodon.social/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a> – Spoofing E-Mails Worldwide <a href="https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">media.ccc.de/v/37c3-11782-smtp</span><span class="invisible">_smuggling_spoofing_e-mails_worldwide</span></a></p>
bert hubert 🇺🇦🇪🇺🇺🇦<p>Prescient words from RFC 2821, "Simple Mail Transfer Protocol". <a href="https://fosstodon.org/tags/smtpsmuggling" class="mention hashtag" rel="tag">#<span>smtpsmuggling</span></a> <a href="https://www.ietf.org/rfc/rfc2821.txt" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="">ietf.org/rfc/rfc2821.txt</span><span class="invisible"></span></a></p>
Flüpke<p>Wait? SEC Consult told closed-source providers like Microsoft months before about <a href="https://chaos.social/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a>, but not <a href="https://chaos.social/tags/Postfix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Postfix</span></a>?</p><p>Capitalist bootlickers! Completely unacceptable!</p>
:prideflag_demigirl::texmoji_ko_nonbinoko:서버메이드 깐프<p>I... personally think <a href="https://social.silicon.moe/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a> is one of trickiest vulnerability to handle...</p><p>At <a href="https://social.silicon.moe/tags/37C3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>37C3</span></a>, speakers said not following SMTP RFC caused that problem. But the problem is, (as you can see in Postfix & Axum's federation test datas) if you follow the RFC strictly, you will face legion of angry customers who complaining they missed some (important) mail from crappy shopping mall which uses php mail() to send horribly broken email directly to TCP 25.</p>
scy @ WHY2025 (7299)<p>I understand SEC's perspective. "We've told that central global organization that is super experienced in managing large scale security issues, they've told the vendors, but apparently nobody thinks this is a big deal, so yeah, let's publish the blog post then."</p><p>So, if what SEC says is true, then CERT/CC has fucked up. But of course SEC could've also talked to Postfix on their own. But why would they, CERT/CC already did.</p><p>This was all a big dumb game of telephone, it seems.</p><p><a href="https://chaos.social/tags/SMTPSmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPSmuggling</span></a></p>
Anisse<p>I have watched the <a href="https://social.treehouse.systems/tags/37c3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>37c3</span></a> <a href="https://social.treehouse.systems/tags/SMTPsmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTPsmuggling</span></a> talk stream, and congrats to <span class="h-card" translate="no"><a href="https://infosec.exchange/@login" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>login</span></a></span> for profusely apologizing publicly on the disclosure timeline, that's not easy to do. The research is great, let's hope everything gets fixed soon.</p>
Florian Haas<p>"Here's the problem."<br>"Here's why it's a problem."<br>"Here's how we inadvertently exacerbated one part of the problem."<br>"That bit admittedly sucked, and we're sorry for the trouble we caused."</p><p>That's good. That's how you do it.</p><p><a href="https://mastodon.social/tags/37c3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>37c3</span></a> <a href="https://mastodon.social/tags/smtpsmuggling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smtpsmuggling</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload