On 5/23/25 9:38 PM, John Levine via NANOG wrote:
As someone else noted, in this utterly implausible scenario
I'll give you implausible or unlikely or rare. Maybe even rare enough to be effectively nobody.
(nobody uses domain certificates to authorize mail submission,
But I will not give you actual nobody. I know multiple other people that use their server's TLS certificate from a public CA for mTLS to authorize submission. Your statement that nobody uses domain certificates to authorize mail submission, as in zero people, is wrong. The certificates in question are for the system's FQDN.
and SMTP doesn't use client certs at all)
In order to avoid SMTP (server receiving email) vs submission (server relaying email) I'll say this: I know of multiple MTAs that are using their cert for their FQDN to authenticate to other servers while relaying email. The first / relaying server is using it's TLS certificate for mTLS with the next server in line.
you would have your private CA sign the certs for your users.
You seem to be thinking / talking about people in front of keyboards / smart devices. I'm talking about /servers/; NS1, NS2, and FS1, not people, using mTLS to authenticate to MTA1.
You do know that you can have multiple signatures on the same cert, don't you?
Yes, I'm well aware of that. What I'm not aware of is how different signers have to do with extended key usage options. -- My understanding is that the EKU options are requested in the CSR and approved EKU options are propagated to the signed cert. But a single cert signed by multiple signers would still have the same EKU options. -- Grant. . . .