On Sat, Oct 25, 2014 at 01:13:38AM +0200, Per Thorsheim wrote: > I've known for many years that Messagelabs, now part of Symantec, > requests a valid client certificate from a narrow list of CAs if you > want to use starttls with their servers, at least *.eu.messaglelabs.com.
Can you explain what you're talking about? Sending mail to their servers via TLS works just fine, with no client certificates of any kind. $ posttls-finger -dsha256 symantec.com posttls-finger: Connected to cluster4.us.messagelabs.com[216.82.253.227]:25 posttls-finger: < 220 server-10.tower-170.messagelabs.com ESMTP posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-server-10.tower-170.messagelabs.com posttls-finger: < 250-STARTTLS posttls-finger: < 250-PIPELINING posttls-finger: < 250 8BITMIME posttls-finger: > STARTTLS posttls-finger: < 220 ready for TLS posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: Matched subjectAltName: cluster4.us.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subjectAltName: cluster4a.us.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subjectAltName: cluster4out.us.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subjectAltName: mail170.messagelabs.com posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25 CommonName mail170.messagelabs.com posttls-finger: certificate verification failed for cluster4.us.messagelabs.com[216.82.253.227]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority posttls-finger: cluster4.us.messagelabs.com[216.82.253.227]:25: subject_CN=cluster4.us.messagelabs.com, issuer_CN=Symantec Class 3 Secure Server CA - G4, fingerprint=50:F0:54:A2:DE:8B:F1:8B:30:41:08:E6:40:DF:C9:2E:68:0C:43:BD:13:F9:40:78:EB:78:C7:F8:56:B8:F4:BB, pkey_fingerprint=AC:5D:D9:85:24:52:21:7C:BE:97:C8:C9:C2:35:E9:FA:1A:8E:6E:19:12:B7:28:EF:35:A5:4C:E3:E8:8C:AA:08 posttls-finger: Untrusted TLS connection established to cluster4.us.messagelabs.com[216.82.253.227]:25: unknown with cipher DHE-RSA-AES256-SHA (256/256 bits) posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-server-10.tower-170.messagelabs.com posttls-finger: < 250-PIPELINING posttls-finger: < 250 8BITMIME posttls-finger: > QUIT posttls-finger: < 221 server-10.tower-170.messagelabs.com Likewise receiving mail from them also works just fine over TLS, with the self-signed certificate on my server. Aug 22 21:55:45 amnesiac postfix/smtpd[28468]: connect from mail1.bemta8.messagelabs.com[216.82.243.197] Aug 22 21:55:45 amnesiac postfix/smtpd[28468]: Anonymous TLS connection established from mail1.bemta8.messagelabs.com[216.82.243.197]: TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Aug 22 21:55:46 amnesiac postfix/smtpd[28468]: 0C6C52AACA3: client=mail1.bemta8.messagelabs.com[216.82.243.197] Aug 22 21:55:46 amnesiac postfix/cleanup[27403]: 0C6C52AACA3: message-id=<...> Aug 22 21:55:46 amnesiac postfix/qmgr[628]: 0C6C52AACA3: from=<...>, size=3428, nrcpt=1 (queue active) Aug 22 21:55:46 amnesiac postfix/virtual[7634]: 0C6C52AACA3: to=<...>, orig_to=<...>, relay=virtual, delay=0.51, delays=0.51/0/0/0, dsn=2.0.0, status=sent (delivered to maildir) Aug 22 21:55:46 amnesiac postfix/qmgr[628]: 0C6C52AACA3: removed > I just assume that a whole lot of mail must be sent in plain due to > their very narrow approach? What narrow approach is that? Some of the larger outsourced email security services act in part like transparent proxies, mirroring the features of the sending client to the receiving system, so if the origin employs STARTTLS, so does the proxy. Thus not all the mail I've received from them is TLS protected, but most is. And indeed for my limited sample use of TLS seems to correlate with the sender domain. -- Viktor.