[110773] in North American Network Operators' Group
Re: smtp.comcast.net self-signed certs
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jan 16 12:31:44 2009
From: Owen DeLong <owen@delong.com>
To: Tony Finch <dot@dotat.at>
In-Reply-To: <alpine.LSU.2.00.0901161653090.6095@hermes-1.csi.cam.ac.uk>
Date: Fri, 16 Jan 2009 09:27:48 -0800
Cc: nanog@nanog.org, Jeff Mitchell <jeff@emailgoeshere.com>
Errors-To: nanog-bounces@nanog.org
On Jan 16, 2009, at 8:54 AM, Tony Finch wrote:
> On Fri, 16 Jan 2009, Jeff Mitchell wrote:
>
>> You're right; certificate verification was turned on on my end
>> simply because
>> I'd never had a reason to turn it off (since in recent times the
>> majority of
>> my mail goes through their gateway, which has never presented an
>> invalid
>> certificate to me before).
>
> Message submission is very different to inter-domain SMTP. There's
> no MX
> indirection, so the TLS certificate actually verifies the correct
> name,
> and certificate verification is normal on the client, and correct
> certificates are normal on servers. A much better situation.
>
> Tony.
Sure, but, in that case, it's also perfectly valid to load the self-
signed
root certificate for that SMTP server's cert. chain into the trusted
roots
set.
Owen
