Vulnerability DatabaseCVE-2023-51764

CVE-2023-51764:
Postfix vulnerability analysis and mitigation

Overview

CVE-2023-51764 affects Postfix through version 3.8.5, allowing SMTP smuggling attacks unless properly configured. The vulnerability was discovered by Timo Longin of SEC Consult in June 2023 and publicly disclosed on December 18, 2023. The flaw enables remote attackers to inject email messages with spoofed MAIL FROM addresses, bypassing SPF protection mechanisms. This occurs because Postfix supports certain non-standard line endings that some other email servers interpret differently (SEC Consult Blog, Postfix Advisory).

Technical details

The vulnerability exploits differences in how email servers handle SMTP end-of-data sequences. The attack involves a composition of two email services with different interpretations of non-standard line endings (like '\n.\n' instead of '\r\n.\r\n'). An attacker can use this discrepancy to break out of the message data section and inject additional SMTP commands, effectively smuggling new email messages. The vulnerability has a CVSS 3.1 base score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

Impact

The vulnerability allows authenticated attackers to spoof email messages that appear to originate from any domain hosted on the vulnerable outbound email service to any recipient on vulnerable inbound servers. These spoofed emails can bypass SPF-based DMARC checks because they are sent through legitimate mail servers. This makes the attack particularly effective for phishing campaigns as the emails appear legitimate and pass standard security checks (Postfix Advisory, SEC Consult Blog).

Mitigation and workarounds

Postfix has released several mitigations. The recommended configuration includes setting 'smtpdforbidbarenewline = normalize' and 'smtpdforbidbarenewlineexclusions = $mynetworks'. For older versions, workarounds include setting 'smtpddatarestrictions=rejectunauthpipelining' and 'smtpddiscardehlokeywords=chunking'. The vulnerability is fixed in Postfix versions 3.5.23, 3.6.13, 3.7.9, 3.8.4, and later releases. Version 3.9 will have these protections enabled by default (Postfix Advisory, Postfix Announcement).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

5.3

Score

Published December 24, 2023

Severity MEDIUM

CNA Score N/A

Affected Technologies

Postfix
Alma Linux

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 95

Exploitation Probability (EPSS) 18.8

Affected packages and libraries

postfix-pgsql
postfix-pgsql-debuginfo

Sources

AlmaLinux Security Advisory
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Nov 21, 2024
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15 Severity MEDIUMNo FixAdded at: Jan 07, 2024
CBL-Mariner
- CBL-Mariner 2.0 Severity MEDIUMHas FixAdded at: Jan 21, 2024
- CBL-Mariner 3.0 Severity MEDIUMHas FixAdded at: May 04, 2025
Debian Security Tracker
- Debian 10, 11, 12 Severity MEDIUMHas FixAdded at: Dec 24, 2023
- Debian 13 Severity MEDIUMHas FixAdded at: Dec 26, 2023
Nix
- Nix Severity MEDIUMHas FixAdded at: Jan 07, 2024
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Jan 07, 2024
- Red Hat 8 Severity MEDIUMNo FixAdded at: Dec 26, 2023
- Red Hat 9 Severity MEDIUMHas FixAdded at: Dec 26, 2023
Ubuntu Security Tracker
- Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04, 23.10 Severity MEDIUMHas FixAdded at: Jan 23, 2024
NVD
- Linux Severity MEDIUMHas FixAdded at: Jan 07, 2024