Hi

On Tue, Jun 23, 2026 at 10:38:34AM -0700, Randolf Richardson, Postmaster via 
mailop wrote:
>       I've seen plenty of problems with TLS encryption failures due to 
> expired certificates, non-matching SNI / wrong certificates, etc., 
> and I suspect a few problems may be a play for many of them...

SMTP in MTA context by default does not provide any way to verify the
remote system.  So neither expiration (now I wonder if someone checks
expiration on trust roots), SNI (do we have a RFC now that specifies SNI
use in MTA) or "wrong" (what is wrong) certificate really matter.  To
change that you need to setup DANE or MTA-STS and monitor that.

>       Also, many mail server daemons will still deliver to SMTP hosts with 
> expired certificates, so users often don't notice when there's a 
> problem with TLS,

Users don't connect to a SMTP server in MTA context.  They connect to
one in MSA context and there the normal TLS requirements apply, with SNI
and so.  But this only concerns users of this server, not you as
unrelated party.

>               that the correct TLS versions are supported/dropped as 
> the security industry changes, etc., which fits well into the DNS 
> zone updates for rolling DKIM keys, DNS traffic encryption, etc.

Sadly, incorrect.  In MTA context you want to allow encryption, even if
bad, because you also accept clear text.  Only if you do not accept
clear text, and only the client can make that decision really, then you
can and maybe should force some higher floor.

Bastian

-- 
There are certain things men must do to remain men.
                -- Kirk, "The Ultimate Computer", stardate 4929.4
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to