Re: sendmail and starttls failing

[Tim Woodall <debianuser@woodall.me.uk>]

On Sun, 30 Jun 2024, Greg Wooledge wrote:

> On Sun, Jun 30, 2024 at 23:08:01 +0100, Tim Woodall wrote:
> > According to this
> > https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
> >
> > bare CRs aren't allowed in emails but this has always worked.
> >
> > I'm only likely to have cron generating emails like this.
> >
> > Strange that this would have been changed in a stable release. It
> > doesn't seem to have been a security update.
>
> It looks like it's coming from this change:
>
> https://metadata.ftp-master.debian.org/changelogs//main/s/sendmail/sendmail_8.17.1.9-2+deb12u2_changelog
>
>  * Fix CVE-2023-51765 (Closes: #1059386):
>    sendmail allowed SMTP smuggling in certain configurations.
>    Remote attackers can use a published exploitation
>    technique to inject e-mail messages with a spoofed
>    MAIL FROM address, allowing bypass of an SPF protection
>    mechanism. This occurs because sendmail supports
>    <LF>.<CR><LF> but some other popular e-mail servers
>    do not. This is resolved with 'o' in srv_features.
>
> I don't know the details of how this leads to a security hole.

It might be - but the wording suggested that this is blocking bare <LF>
which isn't my problem - and also I'd assume this is header related.

The thing I'm seeing is <CR> in the body of the email - I had no idea
this was illegal - and I'm surprised that tools like cron don't do
something to avoid sending "illegal" emails. Indeed, even mail will do
so happily.