CVE-2023-51764

Name of the Vulnerable Software and Affected Versions Postfix versions 3.5.23 through 3.8.5 Postfix versions prior to 3.9

Description The issue is related to insufficient validation of line endings in the Postfix smtpd daemon, allowing remote attackers to bypass security restrictions and perform email spoofing attacks, such as SMTP Smuggling. This can be exploited by injecting email messages with a spoofed MAIL FROM address, bypassing SPF protection mechanisms. The vulnerability occurs because Postfix supports <LF>.<CR><LF> while other popular email servers do not.

Recommendations For Postfix versions 3.5.23 through 3.8.4, consider configuring smtpd data restrictions=reject unauth pipelining and smtpd discard ehlo keywords=chunking to prevent SMTP smuggling. For Postfix versions 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9, consider setting smtpd forbid bare newline=yes to disallow <LF> without <CR>. As a temporary workaround, consider restricting access to the vulnerable smtpd daemon until a patch is available.