IETF Logo Mail Archive

Re: [dane] Delivery of email if MX is not signed

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 23 August 2015 23:17 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE4861B2C4E for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 16:17:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eU8qG4pPU0Vn for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 16:17:27 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B32D1B2C4D for <dane@ietf.org>; Sun, 23 Aug 2015 16:17:27 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E90FC284DA0; Sun, 23 Aug 2015 23:17:26 +0000 (UTC)
Date: Sun, 23 Aug 2015 23:17:26 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150823231726.GC9021@mournblade.imrryr.org>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se> <20150823185057.GJ5112@x28.adm.denic.de> <0E722F2F-510C-4060-86C2-41190F724DBA@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0E722F2F-510C-4060-86C2-41190F724DBA@frobbit.se>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/164tP32Bu2bkGNkvWf07JRTJm80>
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 23:17:29 -0000

On Sun, Aug 23, 2015 at 09:07:10PM +0200, Patrik F?ltstr?m wrote:

> What I think I see in the draft is that "DANE and SMTP" is either "on" or "off", and I want more shades of gray.
> 
> 1. Unsigned MX, Unsigned A/AAAA, not using TLS at all

No, this correctly uses opportunistic *unauthenticated* TLS, and
the certificate is irrelevant.

> 4. Unsigned MX, Signed A/AAAA, TLS used with cert signed by CA (i.e. trusted cert)

This is useless, without per-destination static configuration.

> 5. Unsigned MX, Signed A/AAAA, TLS used with cert validated with signed TLSA (i.e. trusted cert)

This does not provide adequate MiTM protection, but the draft does
not rule out clients that might do this, rather it does not specify
use of DANE for this case.  If enough users want this, such features
could be added to Postfix.  The delivery is not immune to active
attacks, but arguably somewhat stronger than ignoring such TLSA
RRs.

The primary use-case would be a provider that is MX hosting lots
of domains, many of which are not DNSSEC signed, but the MX hosts
are.

> 6. Signed MX, Signed A/AAAA, TLS used with cert validated with signed TLSA

The draft (soon to be RFC) is about case 6.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email