Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
www.openwall.com/lists/oss-security/2024/02/27/4
github.com/apache/james-project
github.com/apache/james-project/commit/d1ef102540e504c067b6c1721a6f1e7eee9c6fc6
github.com/apache/james-project/commit/d5cd8bb098aa78d8d62c9645f3c532689ef1cb03
lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko
nvd.nist.gov/vuln/detail/CVE-2023-51747
postfix.org/smtp-smuggling.html
sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide