Arthurzenika

**Name of the Vulnerable Software and Affected Versions** Postal versions less than 3.0.0 **Description** The issue allows for SMTP Smuggling attacks, which may enable incoming e-mails to be spoofed. This could allow an incoming e-mail to be received by Postal, appearing to be from a server that a user has authorized to send mail on their behalf, but was not the genuine author of the e-mail. The problem does not affect sending outgoing e-mails, as e-mail is re-encoded with `<CR><LF>` line endings when transmitted over SMTP. **Recommendations** For versions less than 3.0.0, upgrade to Postal v3.0.0 or higher to resolve the issue. Once upgraded, Postal will only accept End of DATA sequences which are explicitly `<CR><LF>.<CR><LF>`, and non-compliant sequences will be logged to the SMTP server log.