Exim 4.97.1, the latest release of the postal server, is now available. This release includes changes to protect against the SMTP Smuggling attack, which allows a single message to be broken down into multiple messages using a non-standard sequence for separation of the passes. Initially, it was believed that the issue only affected Postfix and Sendmail, but it was later discovered that it also affected Exim (cve-2023-51766).
Exim can process the sequences “n.n”, “rn.n”, and “n.rn” as dividers when the server for incoming connections includes support for the “Pipelining” and “Chunking” extensions. The correction in this release adds the setting Stickt_CRLF, which restores the ability to process non-standard sequences. As a workaround, the defense can disable the “Pipelining” or “Chunking” extensions using the Pipelining_advertise_hosts, Pipelining_Connect_Advertise_Hosts, and Chunking_Aadvertise_HOSTS settings.