Hi Postfix team, there is some debate online about the disclosure process by SEC Consult regarding the SMTP Smuggling vulnerability.
The timeline on <https://www.postfix.org/smtp-smuggling.html> starts on December 18, the day the article describing the attack in detail has been released by SEC. The article by SEC Consult <https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/> mainly talks about having contacted GMX, Microsoft, and Cisco about the vulnerability, even though they mention > […] in their default configuration, it turned out that Postfix and Sendmail > fulfil the requirements, are affected and can be smuggled to. […] > Aside from Postfix and Sendmail, other SMTP implementations are most likely > affected as well […] This made me wonder whether they have talked to the FLOSS community at all. However, in an update to the article that has been published today, SEC respond to accusations of a bad disclosure process by saying: > […] we contacted CERT/CC on 17th August to get some help for further > discussion with Cisco and involve other potentially affected vendors (such as > sendmail) through the VINCE communication platform. > > […] We received feedback from Cisco […]. Other vendors did not respond in > VINCE but were contacted by CERT/CC. > > Based on this feedback and as multiple other vendors were included in this > discussion through the CERT/CC VINCE platform without objecting, we wrongly > assessed the broader impact of the SMTP smuggling research. Because of this > assumption, we asked CERT/CC end of November regarding publication of the > details and received confirmation to proceed. Depending on how you read this, it can be interpreted as "we've used VINCE to notify other vendors, but they did not consider the vulnerability a threat". This leads to some people claiming that Postfix knew about the issue in August, but wrongly assessing it as a non-issue. (However, you could just as well read it as "we basically wrote some kind of elaborate forum post on this platform instead of talking to vendors directly, and didn't do a good job of communicating the impact or check whether the developers behind one of the largest SMTP servers on the planet saw our research at all".) I don't know how VINCE works, and to what extent the Postfix team has been notified of the issue in August. And even if you received information about the vulnerability, whether the impact has been communicated clear enough to allow you to make an informed decision. Could you please shed some light on whether or not you've already been contacted in August, and if you were, whether the impact was clear? (I assume it wasn't, because otherwise we wouldn't be in this situation.) Thanks in advance, and I wish you calm and relaxing holidays, despite all of this. Tim. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
