1. Home
  2. Knowledge Base
  3. Management
  4. SMTP Injection issue (crlf line termination)
  1. Home
  2. Knowledge Base
  3. Security
  4. SMTP Injection issue (crlf line termination)

SMTP Injection issue (crlf line termination)

Case VU#302671: SMTP Smuggling

This issue relates to "End of data sequence handling" or SMTP Injection.

Traditionally SMTP servers have been 'flexible' with line termination, however, it was recently (2024) discovered that this leads to a possible injection exploit whereby users could possibly send messages with forged content/origin by exploiting the fact that some servers will see the end of message and others wont.

To fix this problem, add this setting:

g_lf_fix_off "true"

We also strongly recommend upgrading to SurgeMail 7.7l3 or later.

If your system needs this legacy behaviour for some reason please upgrade to SurgeMail 7.7l3 or later then set g_lf_fix_list "" to the ip address of any legacy device. Legacy devices that rely on this behaviour should be exceedingly rare, and should normally be patched rather than relying on this exception setting.

This is a relatively low level security risk (so don't panic) but do upgrade at your earliest convenience.

Other references: CVE-2023-51764 postfix, CVE-2023-51765 sendmail, CVE-2023-51766 exim

Was this article helpful?

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support