Tony Finch wrote:
There is no firm specification of how an SMTP implementation should use
the results of TLS authentication, so in practice MTAs just ignore the
results. (MUAs are better.) As a consequence many TLS certificates offered
by MX hosts match neither the MX's mail domain nor its host name.
FWIW, I've actually measured that. Each of Postini's outbound SMTP
relays connects to roughly 30,000 domains per day that claim TLS
support. Of those, about 50% use self-signed certs. (Certain "demo"
certs come up over and over.) Another 35% are CA signed, but contain
errors, like incomplete chains or expired certs. Of the 15% where the
certificate chain is valid, half don't match the MX name. So -- only 7%
to 8% of all MX domains that implement TLS do so correctly. Note that
Postini's outbound service is heavily biased towards B-to-B.
You'd be shocked by some of the sites that get it wrong. (Or not. :-)
As an experiment, I sent E-mail to the postmasters of 20-odd sites,
complaining about their TLS certificates. One Tier-3 ISP responded very
cordially and fixed the cert chain. One large E-tailer bounced me from
department to department for *months*; apparently someone was being
goaled on responding to customer complaints, even if they couldn't fix
them. The rest gave no answer or an auto response.
I haven't run that report in about six months; time to do that again and
see if the situation has improved any. Somehow I doubt it.
<csg>