Case VU#302671: SMTP Smuggling
This issue relates to "End of data sequence handling" or SMTP Injection.
Traditionally SMTP servers have been 'flexible' with line termination, however, it was recently (2024) discovered that this leads to a possible injection exploit whereby users could possibly send messages with forged content/origin by exploiting the fact that some servers will see the end of message and others wont.
To fix this problem UPGRADE TO 7.8
If a legacy client/fax system is sending LF characters, you need to whitelist them individually like this:
g_lf_fix_list "1.2.3.4"Legacy devices that rely on this behaviour should be exceedingly rare, and should normally be patched rather than relying on this exception setting.
This is a relatively low level security risk (so don't panic) but do upgrade at your earliest convenience.
Other references: CVE-2023-51764 postfix, CVE-2023-51765 sendmail, CVE-2023-51766 exim