Hello, saw a tweet about Let’s Encrypt for SMTP. There are some points I believe need to be known.
First of all, SMTP was designed without any hop to hop encryption. Unfortunately it is not like HTTP where it is easy to just use a different port to require encryption, SMTP goes through Port 25 whether it is encrypted or not.
Secondly, certificate authorities are useless for SMTP. Servers do not validate the certificate. They can’t. There is no standardized set of trusted certificate authorities and there is no human involved to evaluate what to do when there is a problem with a certificate, so certificate authorities are just ignored.
I do believe there is value in Let’s Encrypt developers being involved in helping secure SMTP but that value is not related to certificate authorities.
Look at certificates out there used by major companies. Many are expired, many don’t match the hostname, many are self-signed. This is because SMTP does not care about the validity of the certificate. It simply doesn’t. The alternative the RFC requires is plain text, so using the public key from a problematic certificate is actually more secure than using plain text because there was a problem with the certificate.
The only way to secure SMTP to SMTP is to use DANE for SMTP.
What this does, when the receiving SMTP server uses DNSSEC and has a fingerprint of their certificate in a TLSA record for TCP port 25, then the sending SMTP refuses to connect if the receiving server either does not support a cipher in common that can be used or does not have a public key that matches the fingerprint in the TLSA record.
Those are the only things that matter with DANE for SMTP -
A) Use of DNSSEC
B) TLSA record for TCP Port 25
C) Public key fingerprint matches
Whether the certificate is signed by a certificate authority or not simply does not matter, it does not add any security at all, other SMTP servers are not going to care.
What Let’s Encrypt should be working on SMTP is detecting whether or not the zone uses DNSSEC and helping the admin get that set up (which can’t be automated), creating a self-signed cert with a three year life, and generating the appropriating TLSA record for the admin to add to the zone file.
That’s what secures SMTP between hops. Signed certificates do not.