Looks like Postfix developers are quite pissed at this release with months-long advance disclosure to commercial vendors, while learning about it right before the holiday break:
SEC Consult added an update to their page [1]. They are basically hiding behind Cisco, CERT-Bund and CERT.at.
I mean, c'mon... They did all that research and they expect me to believe they didn't understand the potential impact so they deferred to someone else's judgement? That's the excuse, seriously?
Besides, what would have been the harm in reaching out to projects like Sendmail and Postfix and ask them for their opinion? I'm more inclined to trust the judgement of the Postfix project then of Cisco.
I don't understand the hate against Timo. It's pretty obvious from the article that he only thought about the recipient side and not about the sender (postfix). Postfix does behave wrong (according to e.g. RFC 2822 section 2.3), but it still was not in scope of the article.
The disclosure did go to the parties who he (or SEC Consult) seemed vulnerable.
If anything it just shows that Wietse have a way better understanding of SMTP than most of us normal humans.
> This might not seem bad at first, but looking at affected SMTP software on the Internet is a different story. After testing some popular e-mail software in their default configuration, it turned out that Postfix and Sendmail fulfil the requirements, are affected and can be smuggled to. Speaking globally, this is a lot (figure 31)!
It seems like Postfix was properly identified as a party to this issue.
http://www.postfix.org/smtp-smuggling.html
Others are even calling for the cancellation of the 37c3 talk: https://gay-pirate-assassins.de/@moanos/statuses/01HJ8D8XQ7Z...