[Top] [All Lists]

SMTP/TLS: Authentication of an SMTP server's identity

2004-05-06 10:18:36

I would like to know what current industry standard
practices are with respect TLS enabled SMTP senders
and the expected domain name listed in the receiving
server's certificate.

RFC 3207 says that "a SMTP client would probably only
want to authenticate an SMTP server whose server certificate
has a domain name that is the domain name that the client
thought it was connecting to."

I assume this means that sending clients should expect
that the name in the certificate should match the name of
the Mail eXchanger host, and not the domain name that
was used to perform the MX lookup.  This makes sense
because the MX host might be in a different domain than
the one specified in the query.

For example, suppose an SMTP sender needs to send to
recipients at EXAMPLE.ORG and there are two MX hosts for
The sending client should probably expect that each of
the MX hosts would have its own certificate and the name
in each certificate should match the MX host name.

Does this sound correct and does it match was existing
implementations are doing?

Thanks in advance,
Daryl Odnert
Tumbleweed Communications
Redwood City, California