On Thu, Jun 19, 2025 at 03:13:34PM -0400, John Levine wrote:
> It appears that Filippo Valsorda <fili...@ml.filippo.io> said:
> >I'm sorry, I am losing track. Sounds like mutual TLS in SMTP was already not
> >a thing *before* the policy change, except for one vendor, then?
>
> I don't know why this keeps coming up. SMTP does not do mutual
> authentication, and never has.
>
> SMTP servers present a certificate after a STARTTLS command, clients
> do not. Sometimes the clients check the server certificate (TLSA or
> MTA-STS) but more often not.
While "SMTP" (as opposed SUBMIT) servers typically do not solicit
certificates, apparently in Microsoft Exchange environments, MTA-to-MTA
(relay) traffic does use client certificates for mutual TLS
authentication. And of course on the public Internet, anything that's
possible happens somewhere, so some SMTP (relay) servers request client
certs for no good reason, and some clients are configured to then send
these (again for no good reason).
> Mail submission, which is not the same as SMTP (ports 465 and 587)
> occasionally uses client certs but the normal scenario there is for
> the server to distribute privately signed certs to the clients
> so it need only check that it sees its own signature.
The clients in question are typically "servers" (null-client MTAs), so
the OP's point that client certs are used by machine that serve dual
client + server roles is correct, though such use is not the norm.
--
Viktor.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
