Package: swaks Version: 20181104.0-1 Severity: normal Tags: upstream Below is a transcript of my attempt to forge mail from my own domain by replacing a Roman E character with a Cyrillic character that looks the same.
Postfix rejects the connection due to the lack of a SMTPUTF8 on the mail from line. With the current situation a bare minimum would be to mitigate this issue by detcting non-ascii characters in the sender and recipient addresses and aborting instead of trying to send a non-compliant message. It should not just quietly send non-compliant messages and wait for the server to report a problem. # swaks -s localhost -f russell@cokеr.com.au -t russ...@coker.com.au === Trying localhost:25... === Connected to localhost. <- 220 smtp.sws.net.au ESMTP Postfix - by sending email to this server you agree to the conditions at this URL: http://doc.coker.com.au/legal/conditions-of-sending-email/ -> EHLO smtp <- 250-smtp.sws.net.au <- 250-PIPELINING <- 250-SIZE 51200000 <- 250-ETRN <- 250-STARTTLS <- 250-AUTH PLAIN LOGIN <- 250-AUTH=PLAIN LOGIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250-DSN <- 250 SMTPUTF8 -> MAIL FROM:<russell@cokеr.com.au> <** 501 5.1.7 Bad sender address syntax -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host. # idn2 cokеr.com.au xn--cokr-x4d.com.au -- System Information: Debian Release: buster/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages swaks depends on: ii perl 5.28.1-4 Versions of packages swaks recommends: ii libio-socket-inet6-perl 2.72-2 ii libnet-dns-perl 1.19-1 ii libnet-ssleay-perl 1.85-2+b1 Versions of packages swaks suggests: pn libauthen-ntlm-perl <none> ii libauthen-sasl-perl 2.1600-1 pn perl-doc <none> -- no debconf information
