[Bimi] Re: Possible security flaw in BIMI spec / interaction of BIMI-supporting MUA with non-BIMI-supporting MTA

Mauro De Gennaro <mauro@stalw.art> Sat, 25 May 2024 04:19 UTC

Return-Path: <mauro@stalw.art>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C7BC14F6E8 for <bimi@ietfa.amsl.com>; Fri, 24 May 2024 21:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stalw.art header.b="G+2EtkP5"; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=stalw.art header.b="pb4almYY"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hSruSu-nNG8r for <bimi@ietfa.amsl.com>; Fri, 24 May 2024 21:19:45 -0700 (PDT)
Received: from mail.stalw.art (mail.stalw.art [135.181.195.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A194FC14CEFD for <bimi@ietf.org>; Fri, 24 May 2024 21:19:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; s=202404r; d=stalw.art; c=relaxed/relaxed; h=To:Message-Id:Date:From:Subject; t=1716610776; bh=2fR4P73gEWKybcO0NoMla61 DCz1Fw6N031f5L4PJNxc=; b=G+2EtkP5wrArzE2Lm0doD7SUbxNgM57hxmROGso/1q9lw5F9Ae UH1oA3P8/pSaacLk7vTbkRzFtThiGgk9+C4DAFONrrUjzE7ig1I8WHGglVBKYUXekCY42xtPG00 MINJ/5+c/3aSVr2yWOSlEjk7PzPXUvF2306QuK4thFDoJNuWkFWC4TO1WakAL+GCGGfuuE6FWIR wL2vvqx0liFsWBFhoe86KOe6FOQa8JCx7GFZ1L2RSrOcKf4xE5i3GIieMjXSEehGzk9fPFKa+9I V7ojr9BZgz/mZnKVTfBag3wD4ddXtkXAWoYWaD3/9K1m452446Xx/Z5V4jJ1IVboJ5w==;
DKIM-Signature: v=1; a=ed25519-sha256; s=202404e; d=stalw.art; c=relaxed/relaxed; h=To:Message-Id:Date:From:Subject; t=1716610776; bh=2fR4P73gEWKybcO0NoMla61 DCz1Fw6N031f5L4PJNxc=; b=pb4almYY+MjkEtHdvox2yOYsSN/Llfq0B1i1Fgj+zJJMGYX21O IHP3OuylM5ta6pmUORWLalBg+MXkpa0NnOAA==;
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mauro De Gennaro <mauro@stalw.art>
In-Reply-To: <0FCC91A7-4A38-496A-860A-A1F9ED15D080@stalw.art>
Date: Sat, 25 May 2024 06:19:25 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A49B411D-7FE3-4BB7-8847-DBD0CBBB9C5B@stalw.art>
References: <20240505132144.1b62ff64@computer> <f47170e3-66b2-4ccf-8dd7-179d84696d86@zone.ee> <ed09648a-18dc-41f5-98be-2cf6ee88d49a@dcrocker.net> <3C8290F9-3ED4-4CB3-97AE-DF55E29CE2C1@stalw.art> <e3217dce-0bec-48fe-b549-e29e73d6ea45@dcrocker.net> <9F3A05A8-2BDE-4894-855B-75FED09686EB@stalw.art> <MN2PR11MB43512306CDBE744A244319F8F7F52@MN2PR11MB4351.namprd11.prod.outlook.com> <0FCC91A7-4A38-496A-860A-A1F9ED15D080@stalw.art>
To: "Brotman, Alex" <Alex_Brotman=40comcast.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Message-ID-Hash: VG2AASRNIZIKFQ2MA6TDJPBGT7I3G6GZ
X-Message-ID-Hash: VG2AASRNIZIKFQ2MA6TDJPBGT7I3G6GZ
X-MailFrom: mauro@stalw.art
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dcrocker@bbiw.net" <dcrocker@bbiw.net>, "bimi@ietf.org" <bimi@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Bimi] Re: Possible security flaw in BIMI spec / interaction of BIMI-supporting MUA with non-BIMI-supporting MTA
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/jMkfjAnmIJS6r4q-JgV4bLC5Za8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Owner: <mailto:bimi-owner@ietf.org>
List-Post: <mailto:bimi@ietf.org>
List-Subscribe: <mailto:bimi-join@ietf.org>
List-Unsubscribe: <mailto:bimi-leave@ietf.org>

Alex,

I’ve just realised that the TLS-based mechanism I proposed in my previous email could be challenging to implement in multi-tenant scenarios where, for example, the MUA connects to mail.mycorp.org while the MBP is validating BIMI using isp.net. This can create complications in ensuring the authenticity of BIMI-Receiver-Signatures.

To address these challenges, I propose below two new mechanisms to flag BIMI-awareness. Being "BIMI-aware" means that the message store guarantees the following to the MUA:

- Any BIMI-Receiver-Signature found in a message has been generated by the MBP itself.
- All external BIMI-Receiver-Signatures received either via SMTP or through IMAP/JMAP append operations have been removed.

The two new mechanisms to flag BIMI-awareness I propose are:

- Introduce a new "BIMI" capability in the IMAP CAPABILITIES response and the JMAP Session Resource object. Implementing this should be fairly simple but requires a new IANA registration for the capability.
- Add a new CNAME entry for each message store within the MBP indicating BIMI-aware status. The entry would look something like "_bimi.<hostname> CNAME TXT 'v=BIMI1;'", ensuring a clear and direct method to verify the message store's capabilities. For example, if the MBP allows clients to retrieve emails from both "mail.isp.net" and "mail.mycorp.org," this would necessitate two distinct CNAME entries: "_bimi.mail.isp.net" and "_bimi.mail.mycorp.org”.

The DNS-based mechanism is my preferred solution due to its simplicity and the direct way it communicates the BIMI-aware status to the MUA.


Best,
Mauro De Gennaro
Stalwart Labs Ltd.


> On 24 May 2024, at 22:57, Mauro De Gennaro <mauro@stalw.art> wrote:
> 
> Alex,
> 
> Sorry I missed the original post.
> 
> I have just reviewed your draft and it closely aligns with my thoughts. However, I am particularly concerned about the injection of headers into an unaware MBP, as briefly discussed in sections 6.1.1 and 6.1.2.
> 
> To address this issue, I propose an additional mechanism that enables the MUA to determine which BIMI-Receiver-Signature headers are trustworthy. This mechanism would involve validating BIMI-Receiver-Signature headers only if they are signed by a domain that either:
> 
>   - Appears in the IMAP greeting banner (or the JMAP session object).
> 
> or,
> 
> - Corresponds with the server name or matches one of the Subject Alternative Names in the certificate used to establish the TLS connection with the mail store.
> 
> The latter option offers a more robust solution, ensuring a higher degree of security and reliability in the validation process.
> 
> 
> 
> Best,
> Mauro De Gennaro
> Stalwart Labs Ltd.
> 
> 
>> On 24 May 2024, at 21:13, Brotman, Alex <Alex_Brotman=40comcast.com@dmarc.ietf.org> wrote:
>> 
>> Mauro,  A couple of weeks ago, I had posted a document to this list that may help with that scenario:
>>  https://mailarchive.ietf.org/arch/msg/bimi/n_n4N1ueDH8v2yqGzvW-o6_lXBk/
>>  The rough gist is that the MTA adds a few more headers, and signs them all.  There are mechanism for revocation as well.
>>  -- Alex Brotman
>> Sr. Engineer, Anti-Abuse & Messaging Policy
>> Comcast
>>  From: Mauro De Gennaro <mauro=40stalw.art@dmarc.ietf.org> 
>> Sent: Friday, May 24, 2024 2:24 PM
>> To: dcrocker@bbiw.net
>> Cc: bimi@ietf.org
>> Subject: [Bimi] Re: Possible security flaw in BIMI spec / interaction of BIMI-supporting MUA with non-BIMI-supporting MTA
>>  Hi Dave,
>> Some don't.  Some do.  The limitation is not inherent in the nature of MUAs.
>>  Thanks for your feedback but I believe the opposite, that these limitations are indeed inherent. 
>>  Even if a MUA were to attempt to replicate all BIMI validations independently, it inherently lacks access to crucial data such as the SMTP envelope or the IP address of the sending server. These elements are essential for assessing DMARC alignment, which is central to the BIMI validation process as we know.
>>  While it's true that this information might be available in the Authentication-Results headers, we circle back to the same foundational issue: it requires MUAs to implicitly trust the MTA. Unless you operate within an integrated environment like Gmail or Fastmail, where the MUA and MTA are closely coupled, this trust model poses significant challenges.
>>  The nature of most MUAs, being independent from the MTAs, restricts them from performing standalone, reliable BIMI validations without either implicit trust in the MTA or a robust mechanism to verify the trustworthiness of the information provided by the MTA. This was the rationale behind my suggestion to use ARC sealing as a method to pass down trust, ensuring both the authenticity and integrity of BIMI headers directly from the server.
>>   Best,
>> Mauro De Gennaro
>> Stalwart Labs Ltd.
> 
>