CVE-2023-51764: Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking…

medium5.3CVSS 3.1

AVNACLPRNUINSUCNILAN

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports . but some other popular e-mail servers do not. To prevent attack variants (by always disallowing without ), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Affected

21 ranges

Vendor	Product	Version range	Fixed in
debian	postfix	< postfix 3.7.9-0+deb12u1 (bookworm)	postfix 3.7.9-0+deb12u1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	azl3_postfix_3.7.0-2_on_azure_linux_3.0	—	—
msrc	azl3_postfix_3.9.0-1_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_postfix_3.7.0-3_on_cbl_mariner_2.0	—	—
msrc	cbl2_postfix_3.7.4-1_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
postfix	postfix	< 3.5.23	3.5.23
postfix	postfix	>= 0 < 3.5.23-0+deb11u1	3.5.23-0+deb11u1
postfix	postfix	>= 0 < 3.7.9-0+deb12u1	3.7.9-0+deb12u1
postfix	postfix	>= 0 < 3.8.4-1	3.8.4-1
postfix	postfix	>= 0 < 3.8.4-1	3.8.4-1
postfix	postfix	>= 3.6.0 < 3.6.13	3.6.13
postfix	postfix	>= 3.7.0 < 3.7.9	3.7.9
postfix	postfix	>= 3.8.0 < 3.8.4	3.8.4
redhat	enterprise_linux	—	—
redhat	enterprise_linux	—	—

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

osv5.3MEDIUM