hello Ken. It may be that the RFC says the client need not present a valid certificate, but I have found that smtp clients I manage that want to send mail to Microsoft managed domains cannot set up an SSL encrypted smtp session unless the client presents a valid certificate as part of the key negotiation process. This may be something they're doing in violation of the RFC, but I found when I configured sendmail to present a valid certificate, one that could be verified versus a self-signed certificate, mail which wasn't flowing began flowing again. Note I'm not talking about an smtp-auth situation where an individual user is authenticating to a smtp service, but rather server-to-server communications where two smtp MTA agents want to exchange mail with each other.
-thanks -Brian On Nov 14, 9:30am, Ken Hornstein wrote: } Subject: Re: openssl3+postfix issue (ca md too weak) } > Hello Taylor. Just as a point of reference, smtp clients that } >connect to domains hosted by Microsoft, i.e. outlook.com and any other } >domains that use their infrastructure for e-mail, will have to present } >a valid SSL certificate in order to submit mail to their smtp servers. } } I do not believe this statement is correct. My reading of RFC 8461 } is that all it says is that the _server_ has to have a valid certificate } and says nothing about client certificates. In my limited experience } configuring your SMTP _client_ to present a certificate is very very } rare. } } --Ken >-- End of excerpt from Ken Hornstein
