Postfix through 3.8.4 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages that appear to originate from the Postfix server, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required: the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

MITRE https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ [No types assigned]

MITRE https://www.postfix.org/smtp-smuggling.html [No types assigned]