On Fri, May 23, 2025 at 12:34 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Bjørn Mork via NANOG <nanog@lists.nanog.org> said:
I really wish this zombie argument would die. The people who run mail systems are not all stupid, and if client certs were useful, someone in the past 30 years would have tried using them.
I'm not sure what you're trying to say here, but there is no difference between submission and smtp wrt mutual tls. If the server wants to authenticate the client, then a client certificate will be useful.
If the client authenticates it's submission. If it doesn't, it's SMTP unless the client later authenticates with SMTP AUTH.
Hi John, Only traffic on port 587 is explicitly SMTP submission.. On port 25 it might or might not be depending on how the client and server choose to use the authentication. For example, an MSA can add or change message-id, date and sender headers in the message body while an MTA is not supposed to. This happens independent of whether the connection to the MTA/MSA is authenticated. Practically speaking, there aren't a lot of applications for client certificate authenticated SMTP which aren't mail submission. But 99% is not 100% and it's an error to treat it as if it is. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/