𧔠1/5 @padraig @thunderbird Took a little searching but I am working again! Yay. The complexity is that which setup to use with Exchange can be legacy (POP3, IMAP+SMTP, EAS, EWS/OWA) or current Graph API. Thunderbird 140 supports all of the legacy API but not yet Graph API.
Remember the threadsÂčÂČ about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?
We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).
This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating systemâs CA certificate bundle for verification, which generally follows the major browsersâ root stores, which has requirements from the CA/Browser forum who apparently donât care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.
So, yes, Googleâs requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.
Update: it also breaks the connections between domain registrars and registries, with most being unaware that there even is a problem at this time, let alone the crazily short timeframe. See the thread linked to in a self-reply, which also confirms that the CA/Browser forum is supporting Google in this (possibly by means of Google paying, my interpretation).
While nerdcert.eu/ by @jwildeboer would in theory help, itâs not existent yet, and thereâs not just the question of when it will be included in operating systemsâ root CA stores but whether it will be included in them at all.
Googleâs policy has no listed contact point, and the CA/B forum isnât something mere mortals can complain to, so Iâd appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.
I was also bit by this. I switched to tlsserver profile, and when my XMPP certificate got renewed today, it failed to make any S2S connections :(. I'd to revert to classic profile. Could we please keep TLS client auth EKU ? Thanks!
Dear #Letsencrypt, you helped secure millions and millions of servers, not just web servers. But your announcement at letsencrypt.org/2025/05/14/end⊠about ending Ending TLS Client Authentication Certificate Support in 2026 because Google changes their requirements would result in your certificates becoming a possible risk for ensuring SMTP traffic. Please think again. Please.
Letâs Encrypt will no longer include the âTLS Client Authenticationâ Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Letâs Encrypt to secure websites wonât be affected and wonât need to take any action.
I have now configured my mail server to provide an MTA-STS policy for inbound message encryption. I already had DANE set up, but some providers only use MTA-STS. The only real difficulty I encountered was that my SMTP server needed to present the entire certificate chain to mail senders; otherwise, some of them (Google, at least) would fail to verify the certificate. #SMTP #MailServer
