It appears that Bjørn Mork via NANOG <nanog@lists.nanog.org> said:
I really wish this zombie argument would die. The people who run mail systems are not all stupid, and if client certs were useful, someone in the past 30 years would have tried using them.
I'm not sure what you're trying to say here, but there is no difference between submission and smtp wrt mutual tls. If the server wants to authenticate the client, then a client certificate will be useful.
If the client authenticates it's submission. If it doesn't, it's SMTP unless the client later authenticates with SMTP AUTH.
Having optional authentication on port 25 doesn't mean that arbitrary MTAs contacting your MX will be asked to authenticate. It just means that friendly clients are allowed to authenticate, and may get special treatment if they do. Typically being allowed to use the smtp server as a smarthost, similar to what you'd expect on the submission port.
Right, that's submission, not SMTP.
I for one use client certificate authentication on ports 25, 465 and 587.
Right, that's still submission.
There is also the sendmail accessdb support for client certificates. Note that this is different from doing "AUTH EXTERNAL". It doesn't result in an authenticated username. It's more like access list rules, where you match on subject and/or issuer instead of the client IP. Such rules can be used to e.g allow relaying for specific hosts.
Right, that's another form of submission. I think we agree that if you can only use privately signed certs in that context, it's no great loss. R's, John PS: For anyone who hasn't been following along, Postfix and Exim are a lot more popular than sendmail these days. Sendmail is more interesting as an historical artifact.