SMTP | Breaking Cybersecurity News | The Hacker News

Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS. "The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection," Exim said in an advisory released today. "This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able ...

In 1982, when SMTP was first specified, it did not contain any mechanism for providing security at the transport level to secure communications between mail transfer agents. Later, in 1999, the STARTTLS command was added to SMTP that in turn supported the encryption of emails in between the servers, providing the ability to convert a non-secure connection into a secure one that is encrypted using TLS protocol. However, encryption is optional in SMTP, which implies that emails can be sent in plaintext.  Mail Transfer Agent-Strict Transport Security (MTA-STS)  is a relatively new standard that enables mail service providers the ability to enforce Transport Layer Security (TLS) to secure SMTP connections and to specify whether the sending SMTP servers should refuse to deliver emails to MX hosts that that does not offer TLS with a reliable server certificate. It has been proven to successfully mitigate TLS downgrade attacks and Man-in-the-Middle (MitM) attacks. SMTP TLS Report...