[quote] With all Postfix versions, "smtpd_data_restrictions = reject_unauth_pipelining" will stop the published exploit. [/quote]

https://www.postfix.org/smtp-smuggling.html

I changed the title. Although I heard from someone involved that the intermediates really should be revoked in 7 days. Let's wait and see.

They definitely should be—that’s what the author is claiming is mandated, and it would make sense. However, I’m a bit skeptical about browsers being able to enforce that timeline here.

Also, given that the underlying cause appears to be ignorance, it would be prudent to take things slow and ensure that this doesn’t happen again. As I said before, the damage is already done—revoking appears to be insufficient here.

If this does actually happen within 7 days, though, I will be thoroughly impressed.

It could be considered a tacit warning that browsers may choose to mistrust the impacted subCAs in the near future. I don’t know the specifics, but I assume they can revoke for non-compliance using in-browser mechanisms without depending on the revocation process.

EDIT: Mozilla’s reply: https://news.ycombinator.com/item?id=23748561

You don't have to trust Sleevi (though: you always should); you can just read the BRs. The revocation requirement is in this case black-letter SHALL.

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...