Dnia 17.05.2025 o godz. 11:15:17 Grant Taylor via mailop pisze: > > Except when /the/ /authenticated/ /server/ /is/ /the/ /client/. > > E.g. my use case wherein MTAs authenticate to each other using their > server certificate. -- This could be done via IP in most cases. > But dynamic IPs at client offices really benefit from the known > subject from an authorized public CA being allowed to do things > despite the IP changing out from under them. (Think outbound relay > at a spoke office authenticating to a central MTA in corporate HQ.)
I assume in this case all servers are under your control. So you can setup your own CA and issue your own certs for the client use. I would, if I were you. smtpd_tls_cert_file and smtp_tls_cert_file (speaking in Postfix terms) are two different parameters anyway, so you may have server present another (public) certificate when receiving mail, and another (private) when sending. > My concern is that this, like the forthcoming 47 day TLS cert (from > public CAs), is going to end up causing people to downgrade their > security thereby worsening the overall security posture. I think these are two different cases. While the concern about 47 day cert is indeed justified and valid, people who use mutual server authentication via certs (like you do) usually use their own certs, because it's simply more convenient. > >In our case, the user's identity would be determined by a > >particular email address. > > And said email address should be the subject of the certificate, not > just a contact field. Of course - for client certs, exactly that. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
