On Thu, Oct 16, 2025 at 11:33:54AM +0000, Gellner, Oliver via mailop wrote:
> > A spammer might just get various certificates for different host names via
> > letsencrypt.
>
> Starting 2026 Lets Encrypt is going to exclusively offer server
> authentication certificates, which cannot be used for SMTP client
> authentication. So the spammer would have to buy certificates from
> another CA at least.
With DANE, client certificates can and SHOULD be self-signed, but can be
from a private CA, when that makes sense. MTA server certificates can
also be self-signed, though on the MSA ports 465 and 587 a certificate
chained to one of the usual WebPKI trust-anchors are typically useful to
placate MUAs.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
