the latter being missed, and no further queue scheduled runs being
initiated. This ouwld be more likely on high-load systems.
-JH/12 Enforce a data synch check before emitting the 354 "go ahead". Previously
- this was only done if a pre-data ACL was configured.
-
-JH/13 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
+JH/12 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
LF-only mode (as detected from the first header line). Previously we did
accept that in (normal) CRLF mode; this has been raised as a possible
attack scenario (under the name "smtp smuggling").
dummy call to get the DATA command sent. */
if (!acl_smtp_predata && cutthrough.cctx.sock < 0)
- {
- if (!check_sync()) goto SYNC_FAILURE;
rc = OK;
- }
else
{
uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
2017-07-30 18:51:05.712 10HmbG-000000005vi-0000 <= some6ne@some.domain H=(tester) [127.0.0.1] Ci=p1243 P=esmtp K S=sss for CALLER@test.ex
2017-07-30 18:51:05.712 rejected from <someone@some.domain> H=(tester) [127.0.0.1]: Non-CRLF-terminated header, under CHUNKING: message abandoned
2017-07-30 18:51:05.712 10HmbH-000000005vi-0000 <= someone@some.domain H=(tester) [127.0.0.1] Ci=p1244 P=esmtp K S=sss for CALLER@test.ex
+2017-07-30 18:51:05.712 10HmbI-000000005vi-0000 <= legit@some.domain H=(smuggler) [127.0.0.1] Ci=p1245 P=esmtp S=sss for CALLER@test.ex
??? 221
****
#
+# Test for smtp-smuggling. Accepting only one message is good; two is bad.
+client 127.0.0.1 PORT_D
+??? 220
+ehlo smuggler
+??? 250-
+??? 250-SIZE
+??? 250-8BITMIME
+??? 250-PIPELINING
+??? 250-CHUNKING
+??? 250 HELP
+MAIL FROM:<legit@some.domain>
+??? 250
+RCPT TO:<CALLER@test.ex>
+??? 250
+DATA
+??? 354
+Subject: test of smuggled smtp
+
+This is body for initial message
+The next line is a bogus end-of-data attempt, followed by a try at a smuggled message:
+>>> .\n
+mail from:<smuggler@y>
+rcpt to:<CALLER@test.ex>
+bdat 86 last
+Subject: send me all your money!
+
+All your bases are belong to us. Send Bitcoins.
+QUIT
+.
+??? 250
+QUIT
+??? 221
+****
#
killdaemon
no_msglog_check
??? 221
<<< 221 testhost.test.ex closing connection
End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 testhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo smuggler
+??? 250-
+<<< 250-testhost.test.ex Hello smuggler [127.0.0.1]
+??? 250-SIZE
+<<< 250-SIZE 52428800
+??? 250-8BITMIME
+<<< 250-8BITMIME
+??? 250-PIPELINING
+<<< 250-PIPELINING
+??? 250-CHUNKING
+<<< 250-CHUNKING
+??? 250 HELP
+<<< 250 HELP
+>>> MAIL FROM:<legit@some.domain>
+??? 250
+<<< 250 OK
+>>> RCPT TO:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 354
+<<< 354 Enter message, ending with "." on a line by itself
+>>> Subject: test of smuggled smtp
+>>>
+>>> This is body for initial message
+>>> The next line is a bogus end-of-data attempt, followed by a try at a smuggled message:
+>>> .\n
+>>> mail from:<smuggler@y>
+>>> rcpt to:<CALLER@test.ex>
+>>> bdat 86 last
+>>> Subject: send me all your money!
+>>>
+>>> All your bases are belong to us. Send Bitcoins.
+>>> QUIT
+>>> .
+??? 250
+<<< 250 OK id=10HmbI-000000005vi-0000
+>>> QUIT
+??? 221
+<<< 221 testhost.test.ex closing connection
+End of script
git://git.exim.org / exim.git / commitdiff