On Fri, Jun 02, 2017 at 11:12:15PM +0300, Yoav Nir wrote: > Slight correction > > On 2 Jun 2017, at 22:36, Salz, Rich <[email protected]> wrote: > > > > > >> In addition, Alexey is interested in helping with an ACME challenge for > >> email certificates. Is anyone else interested in helping to draft drafting? > > > > Alex posted a draft just before the meeting. Consensus was to split the > > SMTP-server related part and the user S/MIME related part and work on them > > separately. > > The first part is any MTA certificate. It obviously applies to SMTP servers > but also IMAP servers (where they are not co-located with SMTP), and I > suppose also POP3 although the draft doesn’t mention that. > > The reasoning is that MTAs typically have certificates now (although many use > self-issued) and they have DNS records, so automating the certificate > issuance is clear and straight-forward.
One thing to note is that only mail-related port that is currently allowed for "server" type validation in CABForum BRs is port 25. So for IMAP, one would presumably want to get port 993 (IMAPS) added to that list. And 587 (SUBMISSION) could be another candidate. Also, AFAIK, port 465 is not actually SMTPS, but something totally unrelated to mail. It is also one of the dirtiest TCP port out there. You can not assume it works even between consenting endpoints (there are boxes that capture port 465 connections, even if not addressed to them). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
