On Sat, May 17, 2025, 19:34 William Herrin via NANOG <nanog@lists.nanog.org> wrote:
On Sat, May 17, 2025 at 4:23 PM Colin Constable via NANOG <nanog@lists.nanog.org> wrote:
Is anyone else worried about this? We use public certs for client auth in a number of cases.
https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/
Does seem like it might have an impact on SMTP...
SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU, which is what they're deprecating/removing. Certs are used on MTAs for *identity verification of the server* and *integrity validation/encryption*, not authentication. It is strictly only used for *authenticating clients*, hence the name, in mTLS (or *client*-driven one-way TLS, which I don't think I've ever actually seen in the wild to my knowledge). The only case this would matter is if you are using an MUA/sender/client *authenticating* to an MTA with a certificate. 99.999% of email is one-way server TLS, not mTLS. LE certs will continue to work fine for SMTP.