Groups | Search | Server Info | Login | Register

Groups > comp.mail.sendmail > #8135

Client Auth certificates, threat or menace?

From John Levine <johnl@taugh.com>
Newsgroups comp.mail.sendmail
Subject Client Auth certificates, threat or menace?
Date 2025-05-20 16:35 +0000
Organization Taughannock Networks
Message-ID <100iavl$13mj$1@gal.iecc.com> (permalink)

Show all headers | View raw

Let's Encrypt issues the vast majority of signed TLS certificates these days.
They rececently said they will end the option to sign Client Authentication
certificates, and only do the more common Server Authentication.

By my understanding, the only place that a mail system uses Client
Authentication certs is that a submission client can present a cert
for SMTP AUTH rather than a username and a password. It's a niche
feature and the normal way to do it is for the mail system to set up
its own private CA and sign the users' certs, so it can just check
that it sees its signature.
encrypt.

This thread at Let's Encrypt claims that this will break sendmail because it
checks for the Client bit when it's sending mail.  That seems wrong but I
figure it wouldn't hurt to ask.

https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427

-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Back to comp.mail.sendmail | Previous | NextNext in thread | Find similar

Thread

Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-20 16:35 +0000
  Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-20 14:48 -0400
    Re: Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-20 20:18 +0000
      Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-21 01:33 -0400
        Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-22 03:07 -0400
          Re: Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-22 20:09 +0000
        Re: Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-22 20:08 +0000
          Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-23 03:44 -0400

csiph-web