CVE-2020-12063

Name of the Vulnerable Software and Affected Versions Postfix version 2.10.1-7

Description The issue allows an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of xcexbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a "Sender address rejected: not logged in" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked.

Recommendations For Postfix version 2.10.1-7, consider disabling the /etc/postfix/sender login feature until a patch is available to prevent exploitation of the homoglyph attack. Restrict access to the sender login feature to minimize the risk of spoofed outbound messages. Avoid using homoglyph characters in sender addresses to prevent potential spoofing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.