On 2026-06-23 at 20:03 +0200, Bastian Blank wrote:
> So neither expiration (now I wonder if someone checks
> expiration on trust roots),

I don't think MTA are implementing TLS themselves They will be using a
SSL library, which is the reasonable approach. They will either use
what the tls library implements for validation, or disable validation
altogether.

Since most tls libraries do check the expiration of the root CA, I
expect clients would validate the CA Not after as well.
* An exception here is Android, which (purposefully) ignores the
expiration date for CA in the Trust Store.

Regards

_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to