nanog mailing list archives

Re: Trivial change in Public Cert behaviour coming soon

From: John Levine via NANOG <nanog () lists nanog org>
Date: 23 May 2025 15:34:35 -0400

It appears that Bjørn Mork via NANOG <nanog () lists nanog org> said:

I really wish this zombie argument would die.  The people who run mail
systems are not all stupid, and if client certs were useful, someone
in the past 30 years would have tried using them.


I'm not sure what you're trying to say here, but there is no difference
between submission and smtp wrt mutual tls. If the server wants to
authenticate the client, then a client certificate will be useful.


If the client authenticates it's submission.  If it doesn't, it's SMTP
unless the client later authenticates with SMTP AUTH.

Having optional authentication on port 25 doesn't mean that arbitrary
MTAs contacting your MX will be asked to authenticate.  It just means
that friendly clients are allowed to authenticate, and may get special
treatment if they do.  Typically being allowed to use the smtp server
as a smarthost, similar to what you'd expect on the submission port.


Right, that's submission, not SMTP.

I for one use client certificate authentication on ports 25, 465 and
587.


Right, that's still submission.

There is also the sendmail accessdb support for client certificates.
Note that this is different from doing "AUTH EXTERNAL". It doesn't
result in an authenticated username. It's more like access list rules,
where you match on subject and/or issuer instead of the client IP.  Such
rules can be used to e.g allow relaying for specific hosts.


Right, that's another form of submission.  I think we agree that if you
can only use privately signed certs in that context, it's no great loss.

R's,
John

PS: For anyone who hasn't been following along, Postfix and Exim are a lot
more popular than sendmail these days.  Sendmail is more interesting as an
historical artifact.
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZXANTWKJQAZIRJJT6DQMXNEA57YYVAUZ/

Current thread:

Re: Massive change in Public Cert behaviour coming soon, (continued)
- - - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon Crist Clark via NANOG (May 27)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 27)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon Colin Constable via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Eliot Lear via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon Bjørn Mork via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon William Herrin via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon Bjørn Mork via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon Michael Thomas via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Eliot Lear via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Crist Clark via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)

(Thread continues...)