SMTP/TLS certificate usage

djhurt1

Forgive the ignorance. Just renewed our certificates and went with a new CA. Long story short we had to break out our SMTP/TLS and HTTPS certs. into two seperate ones this time around where previously we had a SAN. We have exchange server with ESA as gateway. Exchange and the ESAs HTTPs cert. were installed but our SMTP/TLS cert. was delayed and the current cert. eventually expired. However everything continued working fine. I think I misunderstood the purpose of the SMTP/TLS cert. I though it was for all the mail the ESA forwarded on behalf of the exchange. Could someone enlighten me on the actual process because I obviously have it wrong in my head.

BWC

Well, it comes down to "hey, it's me, the ESA for mail.domain.com and here is the cert to prove it". What the sender is doing with that information is not forseeable, it can be ignored and any cert would have worked or it could be enforced by matching names, validity etc. Using DANE (something ESA isn't capable of) is also an option to make sure to connect to the right host with the right cert.

The cert (and key) is needed to establish an encrypted connection.

—Michael@BWC

BWC

@djhurt1 the cert for SMTP is used only on the server side when receiving mails, not involved in the sending part.

If you're familar with postfix you might have used the smtpd_tls and smtp_tls directives, which are for receiving and sending, but even in postfix smtp-tls_cert_file for sending is rarely used becuse the receiving side has to be able to deal with it.

—Michael@BWC

djhurt1

the cert for SMTP is used only on the server side when receiving mails, not involved in the sending part.

@BWC I suspect that's the part that confused me. What is the purpose of the cert. in that scenario other than authentication? ESA uses the cert. to prove to the sending system that the ESA is who it claims to be?

djhurt1

@BWC I previously assumed the encrypted connection was established with the sending/connecting servers certificate.