Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Is HCL Notes / Domino affected by SMTP smuggling?

Thomas Hampel
 3 January 2024

In short : No

The long(er) version:


Background:

SMTP Smuggling is a newly discovered attack to a number of mail server products and mail hosting providers.
All mail transfer  are based on the SMTP protocol that exists for years where server and client, or two servers talk to each other as defined in an internet standard (
RFC 5321)
Even with perfect antispam checking, SPF, DKIM, DMARC, etc in place, the vulnerability would allow sending spoofed emails, which can result in a huge problem.


The Problem

Key problem is that some SMTP mail server implementations do not follow the RFC precisely.
As defined in chapter 4.2.5 of the RFC, the DATA part of a message is ending with . , note the small dot in between.

Image:Is HCL Notes / Domino affected by SMTP smuggling?
where

is a carriage return

is a  LineFeed, meaing to move the paper or the cursor to the next line.


another RFC (
RFC 5322 ) defines
Image:Is HCL Notes / Domino affected by SMTP smuggling?

Servers often transfer more than just one message at the time in one session.
For servers that don't perfectly follow the RFC it is possible to send the header of the second mail as the body of the first mail so that only the first header is checked.

In the post processing of that mail the server will split apart the messages again and will route two mails where the only the first one was formally checked against SPF, DKIM, etc. definitions.

This will allow to sneak a new mail header with fake sender names into some mail environments (but not to Domino).


More technical details are described in this publication:

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

The disclosure also caused the German BIS to publish this security warning:

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-292569-1032.html

All the above is explained in great details in this wonderful talk.




What about Domino?

HCL's Domino development team was made aware of the problem and started formally testing if Domino is affected.

As indicated above, the Domino SMTP server is not vulnerable to SMTP Smuggling; it only accepts CRLF.CRLF as the end of data sequence.

Domino is perfectly following the RFC's.


**Update**

Based on a
recent post in our support forum, there seems to be a need for further clarification.
While it is possible to squeeze two mails into one using the technique described above, Domino will still handle each mail standalone and will run antispam checks against each of them.
Details are investigated as part of SPR MDLSD2XL45


If you want to test yourself,
Daniel Nashed published nshmail, a Simple SMTP mail send tool that can be very helpful to test SMTP connections.

References:

-
Domino Forum Question by Florian Bühler
- SEC Consult publication :
SMTP Smuggling - Spoofing E-Mails Worldwide
- CCC 37c3 Talk :
SMTP Smuggling to spoof e-mails worldwide
-
nshmail -- Simple SMTP mail send tool
Comments [0]
Tagged with: Security
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.