On Fri, 16 Jan 2009, Florian Weimer wrote:
There's no PKI for Internet Mail routing, so I don't see what you get by checking certificates at all.
That's not entirely true. SMTP over TLS is intended to work for inter-domain SMTP, and it is in fact quite frequently used. However it is utterly broken, with the result that what PKI there is is not in practice used. The brokenness is: * TLS certificates verify host names not mail domains, so they only provide protection for the result of an MX lookup - they don't verify the MX lookup itself was not spoofed. * Most SMTP software does not check certificates and many certificates installed on MX hosts have different common names from the MX record target hostname. Turning on certificate verification breaks too much email, and there's no incentive for postmasters to install valid certificates. These problems are extremely hard to fix. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ FITZROY SOLE: WEST OR SOUTHWEST 5 TO 7, INCREASING GALE 8 AT TIMES, THEN BACKING SOUTH 7 TO SEVERE GALE 9, PERHAPS STORM 10 LATER. VERY ROUGH OR HIGH. RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.