Re: [Standards] Checking hostname in XMPP server when using TLS

Wed, 03 Nov 2010 06:29:58 -0700 

Hi Simon,


SMTP is unusual in that there's no expectation that the connection will be
secured at all, for historical reasons. The mechanism you describe is wrong
from a maximum-security point of view, but SMTP is normally not even
encrypted, so it's (slightly) better than nothing...

If email was invented now, and had mandatory TLS, MTAs would refuse to deliver
mail for (say) [email protected] unless the destination
mailserver could present a certificate indicating that it is, or is
authorized to act on behalf of, collabora.co.uk. Getting there
from here is basically impossible for email due to the number of existing
deployments it'd break, but at least we can avoid this design flaw for XMPP...


The collabora.co.uk server shows the following certificate on s2s:
-----BEGIN CERTIFICATE-----
MIIDLjCCApegAwIBAgIJAMxol6xSjeN7MA0GCSqGSIb3DQEBBQUAMG4xGDAWBgNV
BAoTD2NvbGxhYm9yYS5jby51azERMA8GA1UECxMIamFsZnJlemkxETAPBgNVBAMT
CGVqYWJiZXJkMSwwKgYJKoZIhvcNAQkBFh1yb290QGphbGZyZXppLmNvbGxhYm9y
YS5jby51azAeFw0wODA4MjUxNzE5NTVaFw0wOTA4MjUxNzE5NTVaMG4xGDAWBgNV
BAoTD2NvbGxhYm9yYS5jby51azERMA8GA1UECxMIamFsZnJlemkxETAPBgNVBAMT
CGVqYWJiZXJkMSwwKgYJKoZIhvcNAQkBFh1yb290QGphbGZyZXppLmNvbGxhYm9y
YS5jby51azCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArR5yOxqYjylhYZvt
sVvbpBPHmMQzMnble0ROj+TIOTYFLIEvrlKI503/YXYideLh13YJpn8ltV1F2QfD
IBgKzg0fD9MjmvVUtQbRn8S9D16RtBzjKoXm3VA2WMQbqY+1T2NWtlyJRCtvMeTe
y0acp7nlngU2vlwNO4cEYjaRgmsCAwEAAaOB0zCB0DAdBgNVHQ4EFgQUJ43ol5P6
CuQG9OGphZ7KMC+aI1IwgaAGA1UdIwSBmDCBlYAUJ43ol5P6CuQG9OGphZ7KMC+a
I1KhcqRwMG4xGDAWBgNVBAoTD2NvbGxhYm9yYS5jby51azERMA8GA1UECxMIamFs
ZnJlemkxETAPBgNVBAMTCGVqYWJiZXJkMSwwKgYJKoZIhvcNAQkBFh1yb290QGph
bGZyZXppLmNvbGxhYm9yYS5jby51a4IJAMxol6xSjeN7MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADgYEAk+JiY9IM6du+VdXnEHGISghij0DBuL8uXRIqqv0C
8iyKqDo3pQb/cRiQ74uggeqn0B/JohGymBqaDBoHFPOcDdRE1vZOsxC22CsHs8d1
Mz/lETrUOD/FizLqZvIWdpsuP4WHfukEa60vtIrMjnU1LIAVwGM4i0q3xYjxJ4uu
xTA=
-----END CERTIFICATE-----
The certificate is self-signed, has expired in 2009, there is no indication that the server is authorized to act on behalf of collabora.co.uk. 
Do you know of any servers that refuse to deliver stanzas to your domain?

*scnr

philipp

Reply via email to