On Sun, May 18, 2025, 13:30 Grant Taylor via NANOG <nanog@lists.nanog.org> wrote:
On 5/18/25 12:14 PM, Tom Beecher via NANOG wrote:
"I am FOO." = Identification
"This is proof I am FOO" = Authentication
Okay. I think that's a fair distinction.
Based on these meanings, I think that most contemporary MTAs use some form of (weak) authenticated identity. The most common that I see is reverse DNS with forward DNS confirmation. A less common form of (client) authentication is username & password.
N.B. Only less common in that there are more MTA-to-MTA connections than there are MUA-to-MTA connections. -- I'm eliding illegitimate connections like credential stuffing attacks.
I haven't seen a properly configured Internet accessible MTA not do any form of authentication in many years. More like multiple decades at this point.
So I posit that Brent's "SMTP do not authenticate" statement is outdated at best.
MTAs don't authenticate to each other. They *usually* verify the certm but this *is not* authentication- there is no context given to the idemtity, merely that the public key is trusted.
What is done with that authenticated identity is a down-stream and independent of the authentication process itself.
If authentication is done on an identity provided, *that is downstream*. TLS, by itself, is not authentication. Encryption and the trust/validity/verification if it is *not* authentication. (Internet-facing) MTAs do *not* allow/disallow entry of the service based on the identity itself.