It appears that William Herrin via NANOG <nanog@lists.nanog.org> said:
On Fri, May 23, 2025 at 12:34 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Bjørn Mork via NANOG <nanog@lists.nanog.org> said:
I really wish this zombie argument would die. The people who run mail systems are not all stupid, and if client certs were useful, someone in the past 30 years would have tried using them.
I'm not sure what you're trying to say here, but there is no difference between submission and smtp wrt mutual tls. If the server wants to authenticate the client, then a client certificate will be useful.
If the client authenticates it's submission. If it doesn't, it's SMTP unless the client later authenticates with SMTP AUTH.
Hi John,
Only traffic on port 587 is explicitly SMTP submission.. On port 25 it might or might not be depending on how the client and server choose to use the authentication. For example, an MSA can add or change message-id, date and sender headers in the message body while an MTA is not supposed to. This happens independent of whether the connection to the MTA/MSA is authenticated.
This is a waste of time. If people want to believe that SMTP clients send certificates, there's not much I can do to persuade them otherwise. But in any event, I hope we have established that the number of people affected by the LE change to stop signing client certs rounds to zero. R's, John