Control: found -1 3.1.9-0+deb9u2 Scott Kitterman wrote:
> I agree this is a problem. A design change like this should not be > implemented at the distro level, so it's not a patch I would consider > for Debian. It should be discussed with the upstream developers. Does upstream have a BTS? I remember looking for an upstream BTS when I filed this, and not finding one. I did find a mailing list, but it already had multiple reports about this vulnerability. What I did to my own copy of Postfix (and shared with others, via this bug report) was not a design change, but a surgical removal of Postfix's ability to send "bounce" messages to strangers. It's true that a design change would be better, but one doesn't want to wait that long. This exploit had been made public almost 10 years before I first encountered it (in Petter Urkedal's 2004-09-17 message, linked in my bug report) and the version of Postfix that's in Debian Stable today is still vulnerable to this 14.4-year-old exploit! I (and probably many others) want an MTA that just doesn't ever send "bounce" messages to strangers.
