On Sun, May 18, 2025, 13:30 Grant Taylor via NANOG <[email protected]> wrote:
> On 5/18/25 12:14 PM, Tom Beecher via NANOG wrote: > > "I am FOO." = Identification > > > > "This is proof I am FOO" = Authentication > > Okay. I think that's a fair distinction. > > Based on these meanings, I think that most contemporary MTAs use some > form of (weak) authenticated identity. The most common that I see is > reverse DNS with forward DNS confirmation. A less common form of > (client) authentication is username & password. > > N.B. Only less common in that there are more MTA-to-MTA connections than > there are MUA-to-MTA connections. -- I'm eliding illegitimate > connections like credential stuffing attacks. > > I haven't seen a properly configured Internet accessible MTA not do any > form of authentication in many years. More like multiple decades at > this point. > > So I posit that Brent's "SMTP do not authenticate" statement is outdated > at best. > MTAs don't authenticate to each other. They *usually* verify the certm but this *is not* authentication- there is no context given to the idemtity, merely that the public key is trusted. > What is done with that authenticated identity is a down-stream and > independent of the authentication process itself. > If authentication is done on an identity provided, *that is downstream*. TLS, by itself, is not authentication. Encryption and the trust/validity/verification if it is *not* authentication. (Internet-facing) MTAs do *not* allow/disallow entry of the service based on the identity itself. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/QIMXQFXCN5SAR4G3JO7OUDISDSNXT6QE/
