On 5/23/25 9:38 PM, John Levine via NANOG wrote:
As someone else noted, in this utterly implausible scenario
I'll give you implausible or unlikely or rare. Maybe even rare enough
to be effectively nobody.
(nobody uses domain certificates to authorize mail submission,
But I will not give you actual nobody. I know multiple other people
that use their server's TLS certificate from a public CA for mTLS to
authorize submission.
Your statement that nobody uses domain certificates to authorize mail
submission, as in zero people, is wrong.
The certificates in question are for the system's FQDN.
and SMTP doesn't use client certs at all)
In order to avoid SMTP (server receiving email) vs submission (server
relaying email) I'll say this: I know of multiple MTAs that are using
their cert for their FQDN to authenticate to other servers while
relaying email.
The first / relaying server is using it's TLS certificate for mTLS with
the next server in line.
you would have your private CA sign the certs for your users.
You seem to be thinking / talking about people in front of keyboards /
smart devices.
I'm talking about /servers/; NS1, NS2, and FS1, not people, using mTLS
to authenticate to MTA1.
You do know that you can have multiple signatures on the same cert,
don't you?
Yes, I'm well aware of that.
What I'm not aware of is how different signers have to do with extended
key usage options. -- My understanding is that the EKU options are
requested in the CSR and approved EKU options are propagated to the
signed cert. But a single cert signed by multiple signers would still
have the same EKU options.
--
Grant. . . .
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/MTRTU76A4SOWNR4RGWFZKVJB6HY4U7K3/
