Frank fiene wrote:
It was not designed for client authentication. But what is the problem for Mailserver to Mailserver authentication in both directions?
Many people do not consider e.g. client certs for authenticating the client to be necessary for establishing the encrypted channel. Also there's currently standard defining how the name check should be done for client certs. IMO client certs could be helpful to fight spam.
All well administrated mail system have reverse DNS configured, if that would be DNSSEC secured, perfect! So reverse DNS, then TLSA/DNSSEC plus Certificate validation and everything would be fine for both sides!
Don't mix different things!
If you're after DNSSEC validation of PTR lookups you could implement a local policy in your DNS resolver like this: If there's a RRSIG RR for a PTR RR and this does not validate correctly then consider the PTR RR to be non-existent. Your MTA would then consider the PTR RR to be not present and apply whatever you've implemented as sender restriction policy for absent reverse lookup.
Ciao, Michael.