smtp.comcast.net self-signed certs
Owen DeLong
owen at delong.com
Fri Jan 16 17:27:48 UTC 2009
On Jan 16, 2009, at 8:54 AM, Tony Finch wrote:
> On Fri, 16 Jan 2009, Jeff Mitchell wrote:
>
>> You're right; certificate verification was turned on on my end
>> simply because
>> I'd never had a reason to turn it off (since in recent times the
>> majority of
>> my mail goes through their gateway, which has never presented an
>> invalid
>> certificate to me before).
>
> Message submission is very different to inter-domain SMTP. There's
> no MX
> indirection, so the TLS certificate actually verifies the correct
> name,
> and certificate verification is normal on the client, and correct
> certificates are normal on servers. A much better situation.
>
> Tony.
Sure, but, in that case, it's also perfectly valid to load the self-
signed
root certificate for that SMTP server's cert. chain into the trusted
roots
set.
Owen
More information about the NANOG
mailing list