On 22 May 2018, at 12:24, Andrew C Aitchison wrote:
Also, does the MTA check the name in the certificate ?
Not generally.
I understand that not all do (or didn't until recently)
None do so with significant consequences for failure, unless they really
want their mail to break on a regular basis.
since you can't always determine what the name should be.
There are actually 3 issues of absent specification involved:
1. What is the correct name to demand? The recipient domain? The name in
the MX record? The name in the greeting banner?
2. What are the best responses to each of the various modes of
certificate verification failure?
3. What does a detectable host-level "impersonation" attempt really mean
for email? Is it possible? Is it meaningful?
Historically, self-signed certs have been the norm for SMTP servers
because the only real value of TLS for SMTP has been encryption in
transit, not authentication. The adoption of DANE (and its predicate
DNSSEC) may change this eventually, but that's not soon.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop