Re: Trivial change in Public Cert behaviour coming soon

[William Herrin via NANOG <nanog () lists nanog org>]

On Fri, May 23, 2025 at 12:34 PM John Levine via NANOG
<nanog () lists nanog org> wrote:
> It appears that Bjørn Mork via NANOG <nanog () lists nanog org> said:
> > > I really wish this zombie argument would die.  The people who run mail
> > > systems are not all stupid, and if client certs were useful, someone
> > > in the past 30 years would have tried using them.
> >
> > I'm not sure what you're trying to say here, but there is no difference
> > between submission and smtp wrt mutual tls. If the server wants to
> > authenticate the client, then a client certificate will be useful.
>
> If the client authenticates it's submission.  If it doesn't, it's SMTP
> unless the client later authenticates with SMTP AUTH.

Hi John,

Only traffic on port 587 is explicitly SMTP submission.. On port 25 it
might or might not be depending on how the client and server choose to
use the authentication. For example, an MSA can add or change
message-id, date and sender headers in the message body while an MTA
is not supposed to.  This happens independent of whether the
connection to the MTA/MSA is authenticated.

Practically speaking, there aren't a lot of applications for client
certificate authenticated SMTP which aren't mail submission. But 99%
is not 100% and it's an error to treat it as if it is.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/DKG5E2QUTJU2YAU2RVV55F4SDJF7BSX7/