[Top] [All Lists]

Re: Any interest in rigorous definition for SSL certificate verification in SMTP?

2011-11-14 20:28:08

Alexey Melnikov wrote:
... one of the references for DANE -- RFC 6125 -- seems to be exactly what I was looking for. Unfortunately, it very deliberately codifies the language from RFC 2818 for wildcards, with the established practice for SMTP being a SHOULD NOT.
Backward compatibility might be a sufficient reason to violate the SHOULD NOT.

I don't think it's that easy. The issue is with Email virtual hosting implementations that embed the virtual domain name (or any token with dots in it) in the MX record. For example, if you look up the MX record for, you'll see:        86382    IN    MX    100        86382    IN    MX    200        86382    IN    MX    300        86382    IN    MX    400

Postini's SSL certificate reads:

   Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*

I'm sure they aren't the only ESP that does this; MXLogic for sure, probably CheckFree, possibly FrontBridge.


<Prev in Thread] Current Thread [Next in Thread>