Re: Trivial change in Public Cert behaviour coming soon

[Michael Thomas via NANOG <nanog () lists nanog org>]

On 5/23/25 1:11 PM, William Herrin via NANOG wrote:
> On Fri, May 23, 2025 at 12:34 PM John Levine via NANOG
> <nanog () lists nanog org> wrote:
> > It appears that Bjørn Mork via NANOG <nanog () lists nanog org> said:
> > > > I really wish this zombie argument would die.  The people who run mail
> > > > systems are not all stupid, and if client certs were useful, someone
> > > > in the past 30 years would have tried using them.
> > > I'm not sure what you're trying to say here, but there is no difference
> > > between submission and smtp wrt mutual tls. If the server wants to
> > > authenticate the client, then a client certificate will be useful.
> > If the client authenticates it's submission.  If it doesn't, it's SMTP
> > unless the client later authenticates with SMTP AUTH.
> Hi John,
>
> Only traffic on port 587 is explicitly SMTP submission.. On port 25 it
> might or might not be depending on how the client and server choose to
> use the authentication. For example, an MSA can add or change
> message-id, date and sender headers in the message body while an MTA
> is not supposed to.  This happens independent of whether the
> connection to the MTA/MSA is authenticated.
>
> Practically speaking, there aren't a lot of applications for client
> certificate authenticated SMTP which aren't mail submission. But 99%
> is not 100% and it's an error to treat it as if it is.
Plus bakes in the general practice of "hard on the outside, soft on the 
inside" which is a bogus thing to bake in.

If downstream MTAs want client TLS auth, that's their business. Will 
that likely work inter-domain? No, but MTA->MTA SMTP conversations are 
not necessarily inter-domain.

Mike

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/IXBNU33325DQYPRVI6TJFH5WZLIAWSTZ/