On 5/23/25 1:11 PM, William Herrin via NANOG wrote:
On Fri, May 23, 2025 at 12:34 PM John Levine via NANOG
<nanog@lists.nanog.org> wrote:
It appears that Bjørn Mork via NANOG <nanog@lists.nanog.org> said:
I really wish this zombie argument would die. The people who run mail
systems are not all stupid, and if client certs were useful, someone
in the past 30 years would have tried using them.
I'm not sure what you're trying to say here, but there is no difference
between submission and smtp wrt mutual tls. If the server wants to
authenticate the client, then a client certificate will be useful.
If the client authenticates it's submission. If it doesn't, it's SMTP
unless the client later authenticates with SMTP AUTH.
Hi John,
Only traffic on port 587 is explicitly SMTP submission.. On port 25 it
might or might not be depending on how the client and server choose to
use the authentication. For example, an MSA can add or change
message-id, date and sender headers in the message body while an MTA
is not supposed to. This happens independent of whether the
connection to the MTA/MSA is authenticated.
Practically speaking, there aren't a lot of applications for client
certificate authenticated SMTP which aren't mail submission. But 99%
is not 100% and it's an error to treat it as if it is.
Plus bakes in the general practice of "hard on the outside, soft on the
inside" which is a bogus thing to bake in.
If downstream MTAs want client TLS auth, that's their business. Will
that likely work inter-domain? No, but MTA->MTA SMTP conversations are
not necessarily inter-domain.
Mike
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/IXBNU33325DQYPRVI6TJFH5WZLIAWSTZ/
