Agreed that client certs can be useful for mail submission
authentication. But I was wondering about the feasibility of migrating
to use of client certificates for relay to mail exchangers, i.e. across
administrative mail domain boundaries.
I don't see what problem it would solve.
The only path authentication that MTAs do now is SPF, which most
people agree is pretty lousy, and in the other direction IP based
Most certs are signed by Let's Encrypt, who promise little more than
that the entity presenting the cert is the same one that presented the
signing request. That doesn't impress me as any better than using an
Whitelisting mail by source on the assumption that you can identify
sources that send good mail is a Well Known Bad Idea. Any source big
enough to be worth whitelisting is big enough to have accounts that
get compromised and users infected by malware, so legit mail sources
all send some spam, too.
Apropos whitelisting, I can tell you long tedious stories about all
the people who insisted that Spamhaus needed to publish a whitelist.
When we did, we found that nobody who qualified cared if they were
whitelisted, and nobody who wanted to be listed met the criteria.
ietf-smtp mailing list