Apache James is vulnerable to SMTP Smuggling. The vulnerability is due to the lenient behavior in line delimiter handling which creates a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
www.openwall.com/lists/oss-security/2024/02/27/4
github.com/apache/james-project/commit/d1ef102540e504c067b6c1721a6f1e7eee9c6fc6
github.com/apache/james-project/commit/d5cd8bb098aa78d8d62c9645f3c532689ef1cb03
lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko
postfix.org/smtp-smuggling.html
sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/