SMTP Smuggling
[An updated version of this text may be found at https://www.postfix.org/smtp-smuggling.html]

Author: Wietse Venema

Last update: December 21, 2023

Summary
Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.

Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to change their time schedule until after people had a chance to update their Postfix systems.