On Sun, Apr 18, 2021 at 07:59:07PM -0400, Demi Marie Obenour wrote:
> >> Would it be possible to support trusting based on subject alt name?
> >> I would like a machine with a certificate for a.example.com to send
> >> mail from a.example.com domains.
This rather mixes end-to-end properties (the message envelope sender is
a fixed element of a mult-hop SMTP relay chain) with hop-by-hop
properties (TLS client certificates).
Permitting particular client certs is fine for MSA relay authorisation,
but is rather dubious for enforcing the envelope sender domain.
Are then going to forbid the use of these sender domains unless the
client presents a corresponding certificate? Is this an a message
submission service or an inbound MTA?
> Each system is issued a certificate for its own domain. Perhaps a
> better example would be email Subject Alternative Names.
That's not an example (use-case), it is a certificate field. What
is the use-case. With some specificity...
--
Viktor.
