@jwildeboer The postfix CVE is NOT filed by the postfix project. The project writes on their page about SMTP smuggling that the CVE is incorrect.
It is indeed incorrect; the CVE states that it’s possible to send mails that appear to originate from a postfix system. This is not the case.
@jornane Wietse also says on that page that he has sent corrections to the person that filed the CVE, so I guess/hope that will be fixed soon. UPDATE: the CVE has been fixed and now describes the problem in better ways.