Re: Email sender refusing to send to unknown ca

[Tim Woodall <debianuser@woodall.me.uk>]

On Fri, 2 Jun 2023, Jeffrey Walton wrote:

> On Fri, Jun 2, 2023 at 2:20?PM Tim Woodall <debianuser@woodall.me.uk> wrote:
> > Anyone come across delivery failures where the client cert is signed by
> > an internal ca.
>
> Are you sure it's not a self-signed end-entity certificate used in an
> Opportunistic Encryption scheme?
> https://en.wikipedia.org/wiki/Opportunistic_encryption#E-mail
It's my mailserver, CA is mine. I should have said server cert, sorry.

Their server is refusing to deliver to me.

I can change this to use letsencrypt, although that's going to be a
pain. For now my server will not offer STARTTLS to them at all. If I get
another email will be interesting to see if it works.

Pretty much the only email I strictly want encrypted I will be less
secure with a letsencrypt cert. Possibly I can tell my server to serve
up a different cert depending on who connects but I don't know how to do
that and on a quick google I'm not sure it's possible.

I had imagined someone might refuse to accept email from an unrecognised
CA as a spamblocking measure, but to refuse to send it surprised me.
When nearly all email terminates at a third party verifying the cert
seems excessive unless, like in my case, when you do verify it you're
looking for a particular certificate and CA.

Always deliver direct to MX and always verify the cert would be a good
place to get to but I cannot see it happening. I guess we'd have "bad
cert blacklists" to try to combat spam too...