On Sun, Jun 30, 2024 at 6:08 PM Tim Woodall <debianu...@woodall.me.uk> wrote: > > On Sun, 30 Jun 2024, Tim Woodall wrote: > > > On Sun, 30 Jun 2024, Michael Grant wrote: > > > >> After an update today, sendmail is refusing to accept mail. I'm > >> seeing this in the logs: > >> > > > > Hmmm, this update seems to have done a lot of odd things. > > > > root@dirac:~# mail root > Cc: > Subject: test cr > this > is^Ma test > . > root@dirac:~# mailq > MSP Queue status... > /var/spool/mqueue-client (1 request) > -----Q-ID----- --Size-- -----Q-Time----- > ------------Sender/Recipient----------- > 45ULV1xk014043 15 Sun Jun 30 22:31 r...@dirac.home.woodall.me.uk > (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed) > root > Total requests: 1 > MTA Queue status... > /var/spool/mqueue is empty > Total requests: 0 > > According to this > https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx > > bare CRs aren't allowed in emails but this has always worked. > > I'm only likely to have cron generating emails like this. > > Strange that this would have been changed in a stable release. It > doesn't seem to have been a security update.
New SMTP smuggling attack, <https://www.openwall.com/lists/oss-security/2023/12/21/6>. The short of it is, non-conforming emails and sloppy parsing have led to a litany of problems including mail spoofing. It has been going on for years, but now things are changing. Jeff