On Mon, Apr 07, 2025 at 12:47:33PM -0400, Bill Cole via mailop wrote:
> On 2025-04-07 at 09:38:56 UTC-0400 (Mon, 7 Apr 2025 06:38:56 -0700 (PDT))
> Mark Milhollan via mailop <lists-mai...@milhollan.com>
> is rumored to have said:
>
> > Mainly it is for browsers but that would force some senders to go along
> > if their receivers began rejecting expired certificates
>
> It is exceedingly rare for senders to use *any* certificate in a SMTP TLS
> session. Very few servers request them and they are not needed for
> encrypting traffic.
The OP is suggesting that servers would need to set short expiration
times even on self-signed certs, ... Some sort of server cert is almost
always required to use TLS with SMTP, use of anonymous ciphers (TLS <= 1.2),
or raw public keys (RFC7250) is relatively rare (Postfix to Postfix when
TLS 1.3 is not supported would be the bulk of anon-TLS traffic).
In Postfix, with DANE "3 1 [12]" records and OpenSSL 3.2 or later, raw
public keys are used, and the certificate is replaced by just the
enclosed public key, any expiration date is then never communicated
to the client.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
