On Tue, 23 Jun 2026, Randolf Richardson, Postmaster via mailop wrote:
[Snip]
PS, on the subject of ESP's.. what is the deal with so many bad
certificates from ESP's..
I've seen plenty of problems with TLS encryption failures due to
expired certificates, non-matching SNI / wrong certificates, etc.,
and I suspect a few problems may be a play for many of them...
Automation is usually focused on keeping free certificates (like
Let's Encrypt's, which has a 90-day cycle) updated on web server
daemons, but very rarely for other daemons, and so I suspect that
it's likely an oversight since eMail system configurations tend to
require less maintenance than web server configurations (which often
host custom programming).
Also, many mail server daemons will still deliver to SMTP hosts with
expired certificates, so users often don't notice when there's a
problem with TLS, unless their eMail client applications report
certificate problems when receiving or sending eMail ... or users
don't bother to report anything to their technical support since
choosing "Accept the Risks" has become a common part of modern
computing (even some "Cookie usage" notices present as security
notices, which also contributes to users habitually ignoring warnings
due to "security risk" notices being commonplace).
Postmasters should be checking regualrly on the state of the TLS
certificates that their mail systems use, and ensuring renewals occur
early enough, that the correct TLS versions are supported/dropped as
the security industry changes, etc., which fits well into the DNS
zone updates for rolling DKIM keys, DNS traffic encryption, etc.
RFC8460 defines a mechanism - SMTP TLSRPT - for sending domains that are
compatible with MTA-STS or DANE to share success and failure statistics
with recipient domains, including reports of invalid certificates.
Do note the issue with me sending an you email to say that I could
not send you and email ... hence the option of an https POST.
Whilst very few MTAs currently send reports, there are a pair of projects
under
https://github.com/sys4
- libtlsrpt and tlsrpt-reporter - which together will allow more MTAs
to generate TLSRPT messages.
I believe that libtlsrpt is integrated into Postfix.
I would like to attempt the same for Exim once I get my head around
tlsrpt-reporter. It would help me if it had an Ubuntu package.
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop