On Sun, Oct 12, 2025 at 05:59:57PM +0100, Andrew C Aitchison via mailop wrote:
> I know that TLS is only hop-to-hop, not end-to-end and that MTA-MTA
> only has STARTTLS, not fully encrypted connections, but it does allow
> client certificates as well as server certificates.
With STARTTLS, message transmission is fully *encrypted*, but the remote
end is often not *authenticated*. That said, your key observation is
that SMTP is often not end-to-end, and the *client* is then not
necessarily related to the sender.
Therefore, in the context of MTA-to-MTA (port 25) email relayng, a client
certificate could perhaps be used as a lookup key for client reputation,
that could be more robust than an IP address. And the DANCE working
group client id draft:
https://datatracker.ietf.org/doc/html/draft-ietf-dance-tls-clientid-07
could be used for that purpose, but there are as yet no implementations.
I may some day find some time to implement this in Postfix, unless
sometime sufficiently motivated and skilled beats me to it.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
