brent saner via NANOG <[email protected]> writes: > On Sat, May 17, 2025, 19:34 William Herrin via NANOG <[email protected]> > wrote: >> >> Does seem like it might have an impact on SMTP... >> > > SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU, > which is what they're deprecating/removing. Certs are used on MTAs for > *identity verification of the server* and *integrity > validation/encryption*, not authentication. > > It is strictly only used for *authenticating clients*, hence the name, in > mTLS (or *client*-driven one-way TLS, which I don't think I've ever > actually seen in the wild to my knowledge). > > The only case this would matter is if you are using an MUA/sender/client > *authenticating* to an MTA with a certificate. 99.999% of email is one-way > server TLS, not mTLS. LE certs will continue to work fine for SMTP. >
maybe this answers my questions. I am not sure. Is there any clear documenation of what is going on here? >> > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/HV65MB3DDIQG6U45PWYZWQL47TB27Y3D/ -- Christian de Larrinaga _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/F5UVFTDK3N2PQZYOZYCD5SZH6SFOQZPM/
