Path: ...!weretis.net!feeder9.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: Claus =?iso-8859-1?Q?A=DFmann?= <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
Newsgroups: comp.mail.sendmail
Subject: Re: Trusted CA config (was: Re: adding CA certificates (for use by sendmail))
Date: Fri, 10 Jan 2025 12:09:59 -0500 (EST)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <vlrk97$j5j$1@news.misty.com>
References: <87ttcbly3k.fsf@example.com> <vh2uu2$jqr$1@news.misty.com> <87h68a526z.fsf@miraculix.mork.no> <87frlsoxci.fsf_-_@miraculix.mork.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 10 Jan 2025 17:09:59 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
	logging-data="19635"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
Bytes: 1580
Lines: 11

Bjørn Mork  wrote:

> But how are we supposed to configure a sendmail server then?  MTA-STS
> means that the trusted CA list must include every public CA. Using the
....
> can get a trusted client certificate, then "AUTH EXTERNAL" is pretty
> much an open relay. What am I missing?

MTA-STS has probably been "designed" by people who use http(s) for
everything - without considering the implications. And just like
SPF it breaks existing e-mail practices....