Use of SRV Records for Locating Email Submission/Access Services

Abstract: This specification describes how SRV records can be used to locate email services.

“…The 2. When using email service discovery procedure specified in [RFC6186], the client MUST also use the domain portion of the user's email address as another "reference identifier" to compare against an SRV-ID identifier in the server certificate.…”

“…Support for the SRV-ID identifier type (subjectAltName of SRVName type [RFC4985]) is REQUIRED for email client software implementations that support [RFC6186]. A list of SRV-ID types for email services is specified in [RFC6186]. For the ManageSieve protocol, the service name "sieve" is used.…”

“…A certificate for this service needs to include DNS-IDs of "example.net" (because it is the domain portion of emails) and "mail.example.net" (this is what a user of this server enters manually if not using [RFC6186]). It might also include a CN-ID of "mail.example.net" for backward compatibility with deployed infrastructure.…”

“…In addition to the DNS-ID/CN-ID identity types specified above, a certificate for this service also needs to include SRV-IDs of "_imap.example.net" (when STARTTLS is used on the IMAP port) and "_imaps.example.net" (when TLS is used on IMAPS port). See [RFC6186] for more details. (Note that unlike DNS SRV there is no "_tcp" component in SRV-IDs).…”

“…In addition to the DNS-ID identity types specified above, a certificate for this service also needs to include a DNS-ID of "mycompany.example.com" (this is what a user of this server enters manually if not using [RFC6186]). It might also include a CN-ID of "mycompany.example.com" instead of the CN-ID "mail.example.net" for backward compatibility with deployed infrastructure.…”

Updated Transport Layer Security (TLS) Server Identity Check Procedure for Email-Related Protocols

“…The 2. When using email service discovery procedure specified in [RFC6186], the client MUST also use the domain portion of the user's email address as another "reference identifier" to compare against an SRV-ID identifier in the server certificate.…”

“…Support for the SRV-ID identifier type (subjectAltName of SRVName type [RFC4985]) is REQUIRED for email client software implementations that support [RFC6186]. A list of SRV-ID types for email services is specified in [RFC6186]. For the ManageSieve protocol, the service name "sieve" is used.…”

“…A certificate for this service needs to include DNS-IDs of "example.net" (because it is the domain portion of emails) and "mail.example.net" (this is what a user of this server enters manually if not using [RFC6186]). It might also include a CN-ID of "mail.example.net" for backward compatibility with deployed infrastructure.…”

“…In addition to the DNS-ID/CN-ID identity types specified above, a certificate for this service also needs to include SRV-IDs of "_imap.example.net" (when STARTTLS is used on the IMAP port) and "_imaps.example.net" (when TLS is used on IMAPS port). See [RFC6186] for more details. (Note that unlike DNS SRV there is no "_tcp" component in SRV-IDs).…”

“…In addition to the DNS-ID identity types specified above, a certificate for this service also needs to include a DNS-ID of "mycompany.example.com" (this is what a user of this server enters manually if not using [RFC6186]). It might also include a CN-ID of "mycompany.example.com" instead of the CN-ID "mail.example.net" for backward compatibility with deployed infrastructure.…”

Updated Transport Layer Security (TLS) Server Identity Check Procedure for Email-Related Protocols

SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)

Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access