๐พ Archived View for bbs.geminispace.org โบ s โบ misfin โบ 5640 captured on 2023-09-28 at 15:53:41. Gemini links have been rewritten to link to archived content
โก๏ธ Next capture (2023-11-04)
-=-=-=-=-=-=-
I wonder how misfin messages are replyable, the client does not have to run on the same address as the server and the sender domain is not provided in the client cert unless it is set in a SAN field
2023-09-27 ยท 1 day ago
@alexlehm You're right, apart from the SAN there's no way to tell, that's what the main implementation uses to determine the sender's address. But IMO it's good enough, if the SAN is invalid ,well, you just can't be reached ...
I guess I should add logging of the SAN from the certificate to my server
The cert is always the cert you would use on the server, but you're just using it on the client. The SAN of your "client cert" should be your sender domain, and it needs to be the same fingerprint as what your server sends back when someone sends you an email.
The information in a client cert is your sender info, not your client info, because your client isn't guaranteed to be public-facing.
This is why when you verify on the server end, you don't try to match the sender hostname to the cert hostname, but you can send a blank request to the cert's hostname (since it is guaranteed to be some server if the mailbox is valid) and get the fingerprint from there & match it.
Also, it is the receiving mailserver's responsibility to add the sender as a message comes in. So the receiving mailserver just uses the client cert's User_ID field and SubjAltNames field to create the address, with the CN as the blurb.
This is at least my understanding behind the spec, but I could be wrong. @lem-two @lem could clarify this, since I think they've returned.