I've known for many years that Messagelabs, now part of Symantec, requests a valid client certificate from a narrow list of CAs if you want to use starttls with their servers, at least *.eu.messaglelabs.com.
This effectively kills off the use of any self-signed, expired and invalid certificates. Through an intermediate many years ago who talked to them I learned that they did written peering agreements if you wanted to use starttls with them. Now the peering agreement seems gone, but the other requirements are still in place. Is there anyone out there with a peering agreement, and/or any other info on the configuration & reasoning behind their selective choices? I just assume that a whole lot of mail must be sent in plain due to their very narrow approach? Regards, Per Thorsheim
