Re: openssl3+postfix issue (ca md too weak)

[Brian Buhrow <buhrow%nfbcal.org@localhost>]

	hello Ken.  It may be that the RFC says the client need not present a valid certificate, but
I have found that smtp clients I manage that want to send mail to Microsoft managed domains
cannot set up an SSL encrypted smtp session unless the client presents a valid certificate as
part of the key negotiation process.  This may be something they're doing in violation of the
RFC, but I found when I configured sendmail to present a valid certificate, one that could be
verified versus a self-signed certificate, mail which wasn't flowing began flowing again.  Note
I'm not talking about an smtp-auth situation where an individual user is authenticating to a
smtp service, but rather server-to-server communications where two smtp MTA agents want to
exchange mail with each other.

-thanks
-Brian

On Nov 14,  9:30am, Ken Hornstein wrote:
} Subject: Re: openssl3+postfix issue (ca md too weak)
} >       Hello Taylor.  Just as a point of reference, smtp clients that
} >connect to domains hosted by Microsoft, i.e. outlook.com and any other
} >domains that use their infrastructure for e-mail, will have to present
} >a valid SSL certificate in order to submit mail to their smtp servers.
} 
} I do not believe this statement is correct.  My reading of RFC 8461
} is that all it says is that the _server_ has to have a valid certificate
} and says nothing about client certificates.  In my limited experience
} configuring your SMTP _client_ to present a certificate is very very
} rare.
} 
} --Ken
>-- End of excerpt from Ken Hornstein