Defense against SMTP Smuggling?
-
Does MDaemon have, or are you working to provide, defenses against SMTP Smuggling, as referred to in this blog post by KnowBe4 which references info published by Timo Longin of SEC Consult?
https://blog.knowbe4.com/smtp-smuggling-email-security-impersonation
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Thanks,
Dave
-
Arron Staff
MDaemon 23.5.2, which is being released today, includes 2 changes to prevent SMTP smuggling.
- To prevent inbound SMTP smuggling, MDaemon now requires message data to end with <CRLF>.<CRLF>. Previously, it would allow <LF>.<LF>. To disable this, edit \MDaemon\App\MDaemon.ini and set [Special] SMTPRequireCRLFdotCRLF=No.
- To prevent outbound SMTP smuggling, MDaemon by default removes bare <CR> characters from messages. To disable this, edit \MDaemon\App\MDaemon.ini and set [Special] SMTPAllowBareCR=Yes.
-
Terrific! Thanks!
Dave
Please login to reply this topic!