On 2025-04-07 at 12:59:52 UTC-0400 (Tue, 8 Apr 2025 02:59:52 +1000)
Viktor Dukhovni via mailop <mailop@mailop.org>
is rumored to have said:
On Mon, Apr 07, 2025 at 12:47:33PM -0400, Bill Cole via mailop wrote:
On 2025-04-07 at 09:38:56 UTC-0400 (Mon, 7 Apr 2025 06:38:56 -0700
(PDT))
Mark Milhollan via mailop <lists-mai...@milhollan.com>
is rumored to have said:
Mainly it is for browsers but that would force some senders to go
along
if their receivers began rejecting expired certificates
It is exceedingly rare for senders to use *any* certificate in a SMTP
TLS
session. Very few servers request them and they are not needed for
encrypting traffic.
The OP is suggesting that servers would need to set short expiration
times even on self-signed certs, ... Some sort of server cert is
almost
always required to use TLS with SMTP,
Please re-read what I wrote. I think you *misread* "senders" as
"servers."
Of course servers need certs. Clients (SENDERS) do not. I feel certain
that you know this and have said it frequently here in the past...
use of anonymous ciphers (TLS <= 1.2),
or raw public keys (RFC7250) is relatively rare (Postfix to Postfix
when
TLS 1.3 is not supported would be the bulk of anon-TLS traffic).
In Postfix, with DANE "3 1 [12]" records and OpenSSL 3.2 or later, raw
public keys are used, and the certificate is replaced by just the
enclosed public key, any expiration date is then never communicated
to the client.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
