Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Upcomming Trips

Social Networks

Popular Articles

Winmail.dat

Who am I?

Feeds

 Content
 Comments

Recent Entries

Microsoft requires DMARC
Balkonsolar - year two in
Bug: Mail routing and mai
Dezember 2024: AcceptIT A
Welcome Domino License An

Archives

April 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (2)
October 2024 (2)
September 2024 (1)
July 2024 (1)
May 2024 (2)
April 2024 (3)
March 2024 (1)
February 2024 (2)
January 2024 (5)
December 2023 (3)
November 2023 (2)
October 2023 (1)
September 2023 (4)
June 2023 (1)
April 2023 (3)
March 2023 (1)
February 2023 (1)
July 2022 (1)
September 2021 (1)
August 2021 (2)
May 2021 (1)
February 2021 (3)
January 2021 (1)
November 2020 (1)
October 2020 (2)
September 2020 (2)
March 2020 (1)
November 2019 (1)
August 2019 (1)
July 2019 (1)
March 2019 (1)
December 2018 (1)
November 2018 (1)
October 2018 (1)
September 2018 (1)
May 2018 (1)
January 2018 (1)
December 2017 (1)
November 2017 (1)
September 2017 (1)
March 2017 (2)
February 2017 (5)
November 2016 (1)
September 2016 (4)
April 2016 (1)
March 2016 (7)
January 2016 (1)
December 2015 (1)
November 2015 (3)
August 2015 (1)
July 2015 (2)
June 2015 (5)
May 2015 (5)
March 2015 (3)
February 2015 (2)
January 2015 (4)
December 2014 (3)
November 2014 (1)
September 2014 (4)
August 2014 (1)
May 2014 (4)
April 2014 (1)
March 2014 (2)
February 2014 (3)
January 2014 (2)
October 2013 (1)
September 2013 (1)
August 2013 (2)
July 2013 (2)
March 2013 (2)
February 2013 (4)
January 2013 (3)
December 2012 (2)
November 2012 (1)
October 2012 (2)
September 2012 (4)
August 2012 (3)
July 2012 (1)
June 2012 (6)
May 2012 (1)
February 2012 (2)
January 2012 (1)
December 2011 (4)
November 2011 (2)
September 2011 (1)
May 2011 (2)
March 2011 (1)
January 2011 (1)
November 2010 (5)
October 2010 (2)
September 2010 (2)
August 2010 (1)
July 2010 (3)
June 2010 (1)

Is HCL Notes / Domino affected by SMTP smuggling?

Thomas Hampel
 3 January 2024
In short : No

The long(er) version:

Background:
SMTP Smuggling is a newly discovered attack to a number of mail server products and mail hosting providers.
All mail transfer  are based on the SMTP protocol that exists for years where server and client, or two servers talk to each other as defined in an internet standard (RFC 5321)
Even with perfect antispam checking, SPF, DKIM, DMARC, etc in place, the vulnerability would allow sending spoofed emails, which can result in a huge problem.

The Problem
Key problem is that some SMTP mail server implementations do not follow the RFC precisely.
As defined in chapter 4.2.5 of the RFC, the DATA part of a message is ending with . , note the small dot in between.
Image:Is HCL Notes / Domino affected by SMTP smuggling?
where
is a carriage return
is a  LineFeed, meaing to move the paper or the cursor to the next line.

another RFC ( RFC 5322 ) defines
Image:Is HCL Notes / Domino affected by SMTP smuggling?

Servers often transfer more than just one message at the time in one session.
For servers that don't perfectly follow the RFC it is possible to send the header of the second mail as the body of the first mail so that only the first header is checked.
In the post processing of that mail the server will split apart the messages again and will route two mails where the only the first one was formally checked against SPF, DKIM, etc. definitions.
This will allow to sneak a new mail header with fake sender names into some mail environments (but not to Domino).

More technical details are described in this publication:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

The disclosure also caused the German BIS to publish this security warning:
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-292569-1032.html

All the above is explained in great details in this wonderful talk.



What about Domino?
HCL's Domino development team was made aware of the problem and started formally testing if Domino is affected.
As indicated above, the Domino SMTP server is not vulnerable to SMTP Smuggling; it only accepts CRLF.CRLF as the end of data sequence.
Domino is perfectly following the RFC's.

**Update**
Based on a recent post in our support forum, there seems to be a need for further clarification.
While it is possible to squeeze two mails into one using the technique described above, Domino will still handle each mail standalone and will run antispam checks against each of them.
Details are investigated as part of SPR MDLSD2XL45

If you want to test yourself, Daniel Nashed published nshmail, a Simple SMTP mail send tool that can be very helpful to test SMTP connections.

References:
- Domino Forum Question by Florian Bühler
- SEC Consult publication : SMTP Smuggling - Spoofing E-Mails Worldwide
- CCC 37c3 Talk : SMTP Smuggling to spoof e-mails worldwide
- nshmail -- Simple SMTP mail send tool
Comments [0]
Tagged with: Security
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.