ietf-smtp
[Top] [All Lists]

Re: Any interest in rigorous definition for SSL certificate verification in SMTP?

2011-11-14 20:28:08

Alexey Melnikov wrote:
... one of the references for DANE -- RFC 6125 -- seems to be exactly what I was looking for. Unfortunately, it very deliberately codifies the language from RFC 2818 for wildcards, with the established practice for SMTP being a SHOULD NOT.
Backward compatibility might be a sufficient reason to violate the SHOULD NOT.

I don't think it's that easy. The issue is with Email virtual hosting implementations that embed the virtual domain name (or any token with dots in it) in the MX record. For example, if you look up the MX record for gutekunst.org, you'll see:

   gutekunst.org.        86382    IN    MX    100
   gutekunst.org.s8a1.psmtp.com.
   gutekunst.org.        86382    IN    MX    200
   gutekunst.org.s8a2.psmtp.com.
   gutekunst.org.        86382    IN    MX    300
   gutekunst.org.s8b1.psmtp.com.
   gutekunst.org.        86382    IN    MX    400
   gutekunst.org.s8b2.psmtp.com.

Postini's SSL certificate reads:

   Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.psmtp.com

I'm sure they aren't the only ESP that does this; MXLogic for sure, probably CheckFree, possibly FrontBridge.

<csg>

<Prev in Thread] Current Thread [Next in Thread>