Sujet : Re: Client Auth certificates, threat or menace?
De : INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please) (at) *nospam* esmtp.org (Claus Aßmann)
Groupes : comp.mail.sendmailDate : 20. May 2025, 19:48:01
Autres entêtes
Organisation : MGT Consulting
Message-ID : <100iip0$di9$1@news.misty.com>
References : 1
User-Agent : trn 4.0-test77 (Sep 1, 2010)
John Levine wrote:
By my understanding, the only place that a mail system uses Client
Authentication certs is that a submission client can present a cert
for SMTP AUTH rather than a username and a password. It's a niche
There is more, see cf/README: Relaying.
This thread at Let's Encrypt claims that this will break sendmail because it
checks for the Client bit when it's sending mail. That seems wrong but I
sendmail doesn't care about "EKU":
sendmail.org.cert.pem
Certificate:
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
that cert is used for the sendmail.org SMTP server and client
and my host verifies it just fine:
client_ip=50.19.116.123, client_name=mc.sendmail.org., starttls=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, cipher_bits=256, verify=OK, cert_subject=/C=US/ST=California/O=Proofpoint,+20Inc./CN=sendmail.org, cert_issuer=/C=GB/ST=Greater+20Manchester/L=Salford/O=Sectigo+20Limited/CN=Sectigo+20RSA+20Organization+20Validation+20Secure+20Server+20CA
-- Note: please read the netiquette before posting. I will almost neverreply to top-postings which include a full copy of the previousarticle(s) at the end because it's annoying, shows that the posteris too lazy to trim his article, and it's wasting the time of all readers.
Client Auth certificates, threat or menace?
Re: Client Auth certificates, threat or menace?