[Top] [All Lists]


2008-10-27 12:50:10

Tony Finch wrote:
There is no firm specification of how an SMTP implementation should use
the results of TLS authentication, so in practice MTAs just ignore the
results. (MUAs are better.) As a consequence many TLS certificates offered
by MX hosts match neither the MX's mail domain nor its host name.

FWIW, I've actually measured that. Each of Postini's outbound SMTP relays connects to roughly 30,000 domains per day that claim TLS support. Of those, about 50% use self-signed certs. (Certain "demo" certs come up over and over.) Another 35% are CA signed, but contain errors, like incomplete chains or expired certs. Of the 15% where the certificate chain is valid, half don't match the MX name. So -- only 7% to 8% of all MX domains that implement TLS do so correctly. Note that Postini's outbound service is heavily biased towards B-to-B.

You'd be shocked by some of the sites that get it wrong. (Or not. :-)

As an experiment, I sent E-mail to the postmasters of 20-odd sites, complaining about their TLS certificates. One Tier-3 ISP responded very cordially and fixed the cert chain. One large E-tailer bounced me from department to department for *months*; apparently someone was being goaled on responding to customer complaints, even if they couldn't fix them. The rest gave no answer or an auto response.

I haven't run that report in about six months; time to do that again and see if the situation has improved any. Somehow I doubt it.


<Prev in Thread] Current Thread [Next in Thread>