MDaemon Mail Server Email Spoofing Vulnerability Bypassing SPF, DKIM, and DMARC

A vulnerability in MDaemon Mail Server version 23.5.2 allows email spoofing by bypassing SPF, DKIM, and DMARC validations. The issue arises because the server only checks the email address within angle brackets in the 'From:' header during SMTP DATA processing. An attacker can exploit this by inserting multiple invisible Unicode thin spaces to manipulate the displayed sender address while still passing validation. This flaw takes advantage of the discrepancy between how the email server and most email clients interpret the 'From:' header, leading to misleading sender information.

Impact

Exploitation of this vulnerability allows for email sender spoofing, creating a false impression of the message's origin while circumventing established anti-spoofing measures.

Reproduction

To reproduce this vulnerability, send an email via SMTP with a 'From:' header that includes a spoofed email address followed by several invisible Unicode thin spaces and a valid email address enclosed in angle brackets. The recipient's email client will display only the spoofed address, while MDaemon will validate the address inside the brackets, effectively allowing the spoofing to bypass SPF, DKIM, and DMARC checks.