FWIW, the "a week out from Christmas" is likely due to the 37C3 presentation.

That does not excuse how they handled the disclosure to the opensource projects, which it appears they haven't handled well.

only talking to corporates for responsible disclosure is not something that's gonna go down well with that crowd. I hope they get some critical questions in the Q&A.

Critical questions? Was hoping for them to get booed off stage for talking to vendors of proprietary solutions and not including open source projects in their disclosure comms.

> by having such an increduble exploit

It allows someone to fake the sender, and have the fake bypass the signature schemes that are supposed to prevent fakery. But it's not that incredible; those signature schemes are addons for SMTP, which has always allowed this kind of fakery.

That is: I'm not exactly bowled-over to learn that it's possible to fake the sender of an email.

Yeah I did. As I said, maybe they thought this was going to reach the postfix crowd, but they name them in the article, indicate they're effected, and yet made no attempt to directpy inform the postfix guys?

From the wording of postfix's announcement, it's possible they did disclose the vulnerability itself, but witheld some kind of important information, whatever that means. Or else we have to take for granted that the postfix crew are lying about it.

Either way, why would you publish literally right before Christmas? People need time to check if they're affected and update or patch systems. At best it's highly inconsiderate, and it seems more negligent than inconsiderate.

Did you read what postfix said?

https://news.ycombinator.com/item?id=38729233

I wonder what "critical information" was missing. The gist of the exploit is a very short sentence.

Not pointing fingers, but without looking at the actual email, the fault could lie on either side. "Missing critical information" is the excuse anyone would use after ignoring an important disclosure.