brent saner via NANOG <nanog@lists.nanog.org> writes:
On Sat, May 17, 2025, 19:34 William Herrin via NANOG <nanog@lists.nanog.org> wrote:
Does seem like it might have an impact on SMTP...
SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU, which is what they're deprecating/removing. Certs are used on MTAs for *identity verification of the server* and *integrity validation/encryption*, not authentication.
It is strictly only used for *authenticating clients*, hence the name, in mTLS (or *client*-driven one-way TLS, which I don't think I've ever actually seen in the wild to my knowledge).
The only case this would matter is if you are using an MUA/sender/client *authenticating* to an MTA with a certificate. 99.999% of email is one-way server TLS, not mTLS. LE certs will continue to work fine for SMTP.
maybe this answers my questions. I am not sure. Is there any clear documenation of what is going on here?
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HV65MB3D...
-- Christian de Larrinaga