[Top] [All Lists]

Re: SMTP/TLS: Authentication of an SMTP server's identity

2004-05-06 11:42:24

RFC 3207 says that "a SMTP client would probably only
want to authenticate an SMTP server whose server certificate
has a domain name that is the domain name that the client
thought it was connecting to."

I assume this means that sending clients should expect
that the name in the certificate should match the name of
the Mail eXchanger host, and not the domain name that
was used to perform the MX lookup.  This makes sense
because the MX host might be in a different domain than
the one specified in the query.

That's the only way that makes sense.  If the SMTP client expected
the server's cert to match the domain in the email address
(the one used to query for MX records), it would not be feasible
to use the same SMTP server to accept mail for multiple MX domains.

this should probably go on the RFC editor's errata/clarifications
page for RFC 3207

Regime change 2004 - better late than never.