Classification: TLP:GREEN

Internal reference: DOV-6394
Type: CWE-345 (Insufficient Verification of Data Authenticity)
Component: core
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX Dovecot Pro core 2.3.21.1
First fixed revision: OX Dovecot Pro core 3.0.0
Discovery date: 2023-12-28
Solution date: 2024-05-08
Disclosure date: 2024-09-02
Researcher credits: Hanno Böck <hanno@hboeck.de>
CVE: CVE-2024-25584
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Details:
 SMTP/Submission server accepts bad <LF>.<LF> end of data symbol (SMTP Smuggling). Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP.

Risk:
Dovecot will split mail with LF DOT LF into two mails. No publicly available exploits are known.

Solution:
Upgrade to latest released version.