1 Topic by evenmoreconfused (edited by evenmoreconfused 2025-05-17 22:35:37)

  • evenmoreconfused
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 86

Topic: Upcoming LetsEncrypt Changes

LetsEncrypt have announced that their certificates will stop including the client-side bit starting in 2026: https://letsencrypt.org/2025/05/14/endi … ntication/

The general use case for LetsEncrypt is for web servers, which only need the server-side bit, but several people have already protested that SMTP using TLS needs this client part of the cert (see the discussion at https://community.letsencrypt.org/t/do- … u/237427/5 ).

I am wondering if this will affect iRedMail installations, and, if so, can we expect that the necessary changes will be part of the regular update stream? The required changes seem a bit daunting to we amateurs!

Thanks as always for all help,
Paul

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by evenmoreconfused (edited by evenmoreconfused 2025-05-17 22:57:29)

  • evenmoreconfused
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 86

Re: Upcoming LetsEncrypt Changes

After a bit more reading it seems that postfix does not by default require validation of client certificates, although it can be configured that way (don't know if iRedMail does so). However sendmail does check.

Some say that a failed validation just creates a warning in the headers, but even if that's true, the spam detection algorithms might then downgrade the authenticity rating of the message, resulting in more false positive spam detection.

But if I understand correctly, this is not about how our postfix is configured but rather how the receiving partner MTA is configured (which could be postfix, or exchange, or whatever).

Is that right?

3 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 963

Re: Upcoming LetsEncrypt Changes

iredmail doesn't use client auth