Running your own mail server has always been a pretty rough idea. Running an S-Mail (or, for that matter, Sendmail) derivative in 2018 just seems like asking for something bad to happen. With just two exceptions, C-language MTA servers have been the Internet's "Kick Me" sign since literally the inception of Internet hacking.
For reasons I do not understand, but that go all the way back to comp.security.unix days in the 1990s, there's a widespread belief that Exim is somehow a secure mail server. Exim has never been that. The two secure C-language MTAs are qmail and Postfix, both of which were designed, from the ground up, on day 1, to mitigate the kinds of vulnerabilities Sendmail has historically been vulnerable to (and which this vulnerability is an example of).
Don't run your own mail server. But if you have to, don't run a C-language mail server. But if you have to, run Postfix.
Don't run Exim.
Agreed on almost everything, but disagree on this; there's no reason why any reasonably competent and security-focused sysadmin can't run a secure Postfix or qmail server (although it's hard to run a secure version of qmail these days). In some ways, it's easier than back in the day (hello, letsencrypt!) and in some ways it's harder (DKIM, SPF, etc), but it's still doable and there are some excellent reasons for doing so.
(The rest of your advice is excellent.)
> Don't run Exim.
Absolutely agreed. I'm not sure why Debian opted to make it the default MTA over Postfix (but they also opted for systemd over runit, so..)
They can as well use the same server, e.g. because they work for the same company / organization.
A different data retention policy and lack of third-party access may be very important in certain circumstances.
> Don't run your own mail server. But if you have to, don't run a C-language mail server. But if you have to, run Postfix.
I... don't think Postfix' track record bears this out? Setting up a mailserver is quite a bit of work, but if you configure Postfix with an appropriate degree of paranoia and don't care about receiving some spam, you can leave Postfix running for years and years with zero vulnerabilities. (E.g. https://www.cvedetails.com/vulnerability-list/vendor_id-8450..., as you know.)
It's hard to compete against GMail's security, but if you have to run some service on your own Postfix is much less likely to get you pwned than almost any web application, or even many HTTP servers. (Postfix shares that distinction with another large-but-excellent C application, OpenSSH.)
(Mind you, "appropriate degree of paranoia" includes absolutely not running anything like a virus scanner, which protects your server but leaves your mail user agents open to attack.)
The interesting entries:
> * 2018-02-09 One distro breaks the embargo
> * 2018-02-10 18:00 Grant public access to the our official git repo.
Since the report came in on the 5th there wasn't really a lot of time before the "distro" released it.