nanog mailing list archives
Re: smtp.comcast.net self-signed certs
From: Jeff Mitchell <jeff () emailgoeshere com>
Date: Fri, 16 Jan 2009 11:39:51 -0500
Tony Finch wrote:
My understanding is that Comcast uses it simply for encryption, not for authentication.That's not entirely true. SMTP over TLS is intended to work for inter-domain SMTP, and it is in fact quite frequently used.
You're right; certificate verification was turned on on my end simply because I'd never had a reason to turn it off (since in recent times the majority of my mail goes through their gateway, which has never presented an invalid certificate to me before).* Most SMTP software does not check certificates and many certificates installed on MX hosts have different common names from the MX record target hostname. Turning on certificate verification breaks too much email, and there's no incentive for postmasters to install valid certificates.
However, in this case, there is another benefit: the presence of what was clearly a default certificate on some of their servers, where before there were always valid certificates presented, could indicate that the rest of the mailserver was incorrectly configured. Better that mail is delayed than it is accepted and ends up bounced or disappearing into the ether (that was my main incentive for the OP) :-)
FWIW, this seems to be fixed today. --Jeff
Current thread:
- smtp.comcast.net self-signed certs Jeff Mitchell (Jan 15)
- Re: smtp.comcast.net self-signed certs Florian Weimer (Jan 16)
- Re: smtp.comcast.net self-signed certs Adrian Chadd (Jan 16)
- Re: smtp.comcast.net self-signed certs Florian Weimer (Jan 16)
- Re: smtp.comcast.net self-signed certs Tony Finch (Jan 16)
- Re: smtp.comcast.net self-signed certs Jeff Mitchell (Jan 16)
- Re: smtp.comcast.net self-signed certs Tony Finch (Jan 16)
- Re: smtp.comcast.net self-signed certs Owen DeLong (Jan 16)
- Re: smtp.comcast.net self-signed certs Eric Tow (Jan 16)
- Re: smtp.comcast.net self-signed certs Jeff Mitchell (Jan 16)
- Re: smtp.comcast.net self-signed certs Adrian Chadd (Jan 16)
- Re: smtp.comcast.net self-signed certs Florian Weimer (Jan 16)