Product » A free email server for Windows and Linux » Knowledge Base

Document information

Document ID: 9039
Subject: What is Smtp Smuggling and Tips on Testing Your Server
Creation date: 1/3/24 8:38 AM
Last modified on: 1/11/24 10:42 AM


What is Smtp Smuggling and Tips on Testing Your Server

Using SMTP Smuggling, a malicious user can smuggle an email inside another email message. The outer message is often harmless. The smuggled message could be potentially dangerous and can pretend to be coming from a legitimate source, as that will pass SPF, DMARC, and DKIM. SEC Consult discovered this vulnerability around November 2023; according to them, it affects many popular email servers. This page discusses how to test your email server to ensure you're not affected.

A Brief Background

Engineers at Postfix did an excellent job summarizing the problem; therefore, we will skip most of the technical jargon. Suffice it to say that this vulnerability exploits how emails are separated from each other when sent in a single network connection. Every SMTP server has an input and an output. A single incoming email must result in only one outgoing message. If your server is affected by this vulnerability, it could generate two or more messages through its output for that single incoming message. These additional messages are called as "Smuggled" and will appear to originate from your server following every best practice you have deployed on your end.

Additionally, the original blog published by SEC Consult is a bit long. If you want to skim through it, we recommend reading the section on how email servers handle <LF>.<LF> character sequence.

It is also important to note that this vulnerability involves two servers. In other words, you must send an outbound email to another server, such as Gmail, Hotmail, or others, to determine if you're affected.

Testing Your Server

Engineers at Synametrics wrote a tiny testing utility that can help you confirm if your server is vulnerable. This test utility is written in Java and is published along with its source code. Follow the instructions below on how to use it.

  • Download the JAR file from here or compile it using the source code. You will need Java (any version above JRE 8). Refer to the Usage section below for details on how to use it.
  • It does not use SMTP authentication. Therefore, you must run this utility on a computer that can relay through your email server.
  • To keep matters simple, this utility does not use TLS or STARTTLS.
  • It does not perform any error handling. Therefore, use Email Sender prior to running this to ensure your server will accept emails from the machine you're testing from.

Usage

There are four actors in this utility:

  • Original Sender - refers to the email address of the person sending an outbound email. This should be an email address belonging to your domain.
  • Original Recipient - refers to a recipient's email address on the Internet, such as your valid Gmail account.
  • Smuggled Sender - refers to a valid email address on your domain, such as administrator@yourcompany.com. Don't use the same address specified for the original sender.
  • Smuggled Recipient - refers to another valid email address on the Internet, such as a different Gmail account. Again, don't use the same address as the original recipient.

The testing utility sends one or two emails, depending on whether your email server supports CHUNKING. Your server is vulnerable if an email is sent to Smuggled Recipient's address. Use the following command to run it.

java -jar SmtpSmugglingTester.jar [-v] OPTIONS

Command Line Arguments

-h Displays usage
-os Email address for the original sender. This should be a valid address in your domain.
-or Email address for the original recipient. This should be a valid address somewhere on the Internet.
-ss Email address for the smuggled sender. This should be an address in your domain but different than what you specified for original sender.
-sr Email address for the smuggled recipient. This should be an address on the Internet but different than what you specified for original recipient.
-server IP address/host name of your SMTP server. If missing localhost is assumed.
-port TCP/IP port. A value of 25 is assumed if this is missing.
-v Verbose. If present communication between this utility and the SMTP server will be printed on the screen.

Example

java -jar SmtpSmugglingTester.jar -os john@yourcompany.com -or john@gmail.com -ss admin@yourcompany.com -sr john@hotmail.com

Is Xeams Affected?

Although Xeams is not affected by this vulnerability, there is room for improvment. In technical terms, Xeams performs Dot-stuffing along with replacing <LF>.<LF> with <CRLF>.<CRLF>, as suggested by SEC Consult.

A better approach, however, is what Postfix will be doing for their long-term solution: terminate network connection if an incorrect line termination sequence is provided by the client. Therefore, the next version of Xeams, which is expected to be released towards end of January 2024, will have a configuration parameter allowing Xeams to terminate connection if an SMTP client does not use rfc compliant line terminators.

Terminating client connections could have unintended consequences, particularly if you have some legacy software, or scripts running on Linux/Unix sending outbound emails. Therefore, this option will be turned OFF by default.





Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post questions here. Instead, use our public forums to post questions.