In RFC 3207, section 4.1 it provides a guideline for a possible
condition for MTA to reject a TLS session:
The decision of whether or not to believe the authenticity of the
other party in a TLS negotiation is a local matter. However, some
general rules for the decisions are:
- A SMTP client would probably only want to authenticate an SMTP
server whose server certificate has a domain name that is the
domain name that the client thought it was connecting to.
Why were possible expiration condition "insights" excluded from the
production of this doc? if discussed at all?
I'm thinking of adding some time based rules for TLS rejection and
just wondering if its worth it. Of course, this is to help automated
MTA decision, not a MUA/MTA manual end-user question/decision. I'm
thinking something like:
TLS Rejection Reasons:
[X] Domain mismatch
[X] Expired DAYS __60__
I guess maybe time has nothing to do with the fact that you reached
a matching TLS domain target?
Thanks for your insights
--
Sincerely
Hector Santos
http://www.santronics.com