On Sat, May 17, 2025, 19:34 William Herrin via NANOG <[email protected]> wrote:
> On Sat, May 17, 2025 at 4:23 PM Colin Constable via NANOG > <[email protected]> wrote: > > Is anyone else worried about this? We use public certs for client auth > in a > > number of cases. > > > > https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/ > > Does seem like it might have an impact on SMTP... > SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU, which is what they're deprecating/removing. Certs are used on MTAs for *identity verification of the server* and *integrity validation/encryption*, not authentication. It is strictly only used for *authenticating clients*, hence the name, in mTLS (or *client*-driven one-way TLS, which I don't think I've ever actually seen in the wild to my knowledge). The only case this would matter is if you are using an MUA/sender/client *authenticating* to an MTA with a certificate. 99.999% of email is one-way server TLS, not mTLS. LE certs will continue to work fine for SMTP. > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/HV65MB3DDIQG6U45PWYZWQL47TB27Y3D/
