self-signed certs

Jeff Mitchell jeff at
Fri Jan 16 16:39:51 UTC 2009

Tony Finch wrote:
> That's not entirely true. SMTP over TLS is intended to work for
> inter-domain SMTP, and it is in fact quite frequently used.
My understanding is that Comcast uses it simply for encryption, not for 
> * Most SMTP software does not check certificates and many certificates
> installed on MX hosts have different common names from the MX record
> target hostname. Turning on certificate verification breaks too much
> email, and there's no incentive for postmasters to install valid
> certificates.
You're right; certificate verification was turned on on my end simply 
because I'd never had a reason to turn it off (since in recent times the 
majority of my mail goes through their gateway, which has never 
presented an invalid certificate to me before).

However, in this case, there is another benefit: the presence of what 
was clearly a default certificate on some of their servers, where before 
there were always valid certificates presented, could indicate that the 
rest of the mailserver was incorrectly configured.  Better that mail is 
delayed than it is accepted and ends up  bounced or disappearing into 
the ether (that was my main incentive for the OP)  :-)

FWIW, this seems to be fixed today.


More information about the NANOG mailing list