Post Ad4seXBX4yYUoomGOG by jeroen@secluded.ch
 (DIR) More posts by jeroen@secluded.ch
 (DIR) Post #Ad2VamMHF77K6xlJNg by jssfr@zombofant.net
       2023-12-21T14:51:48Z
       
       5 likes, 16 repeats
       
       https://www.postfix.org/smtp-smuggling.html"SMTP Smuggling" vulnerability in Postfix allows to spoof senders even in the presence of some DMARC checks. Configuration workarounds exist.Also, a wholehearted f* you to SEC Consult, who sat on this since June and disclosed it to some closed-source vendors and MSPs, but could apparently not be bothered to give e.g. Postfix a heads-up, publishing this close to the holidays.Boosts for awareness welcome.
       
 (DIR) Post #Ad4seXBX4yYUoomGOG by jeroen@secluded.ch
       2023-12-21T15:14:02Z
       
       1 likes, 0 repeats
       
       @jssfr "open source does not pay us"........ nasty way to do business... :(   fortunately for all services where I admin, the default is to reject unauthentic pipelined commands as that also stops a lot of very badly written spam robots... and I would not be surprised if many others have that setting like that for that reason. Implementing it for a large service where it is not enabled yet can be tricky with this timeline.
       
 (DIR) Post #AdFZXF10TURw35Dpi4 by Foxboron@chaos.social
       2023-12-22T00:07:57Z
       
       0 likes, 1 repeats
       
       @jssfr Cool of them to submit this to #37C3 instead of getting it fixed upstream.EDIT: The talk had a decent apology.https://events.ccc.de/congress/2023/hub/en/event/smtp_smuggling_spoofing_e-mails_worldwide/