It appears that Bjørn Mork via NANOG <[email protected]> said: >> I really wish this zombie argument would die. The people who run mail >> systems are not all stupid, and if client certs were useful, someone >> in the past 30 years would have tried using them. > >I'm not sure what you're trying to say here, but there is no difference >between submission and smtp wrt mutual tls. If the server wants to >authenticate the client, then a client certificate will be useful.
If the client authenticates it's submission. If it doesn't, it's SMTP unless the client later authenticates with SMTP AUTH. >Having optional authentication on port 25 doesn't mean that arbitrary >MTAs contacting your MX will be asked to authenticate. It just means >that friendly clients are allowed to authenticate, and may get special >treatment if they do. Typically being allowed to use the smtp server >as a smarthost, similar to what you'd expect on the submission port. Right, that's submission, not SMTP. >I for one use client certificate authentication on ports 25, 465 and >587. Right, that's still submission. >There is also the sendmail accessdb support for client certificates. >Note that this is different from doing "AUTH EXTERNAL". It doesn't >result in an authenticated username. It's more like access list rules, >where you match on subject and/or issuer instead of the client IP. Such >rules can be used to e.g allow relaying for specific hosts. Right, that's another form of submission. I think we agree that if you can only use privately signed certs in that context, it's no great loss. R's, John PS: For anyone who hasn't been following along, Postfix and Exim are a lot more popular than sendmail these days. Sendmail is more interesting as an historical artifact. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/ZXANTWKJQAZIRJJT6DQMXNEA57YYVAUZ/
