Re: [dane] Delivery of email if MX is not signed
Paul Wouters <paul@nohats.ca> Sun, 23 August 2015 17:47 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D788C1B29DD for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 10:47:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.189
X-Spam-Level:
X-Spam-Status: No, score=0.189 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxJUh758uLFO for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 10:47:18 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB331B29DB for <dane@ietf.org>; Sun, 23 Aug 2015 10:47:18 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mzkYc1H1zz1K2; Sun, 23 Aug 2015 19:47:16 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=vCpd2wID
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Gd4-m_iObwpr; Sun, 23 Aug 2015 19:47:14 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 23 Aug 2015 19:47:14 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C5127800A0; Sun, 23 Aug 2015 13:47:12 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1440352032; bh=waeXlMwIghcxM90zBOgiOeLGyWuyRbuUWtlsqU99hks=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=vCpd2wIDjEtIs8X3lfuQp9s5Bux/8ZdN8X6BH+QfUmLELC1nVH6BFAz4ufH1LNFZL rKrCfp7YTBQTLlVCLtPyVFOVaVS3PRP1id9msfWG6tD8Ksl1PhWRdM7T4P9dEk8Mk6 B1Es5zEVUGfG8Gxrg3MIiuXvAFDWm+szm6dkVcPQ=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t7NHlCGR005435; Sun, 23 Aug 2015 13:47:12 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 23 Aug 2015 13:47:12 -0400
From: Paul Wouters <paul@nohats.ca>
To: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se>
Message-ID: <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/AwzhZAgy8NsiQnv5MqMgBT5qrFA>
Cc: dane@ietf.org
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 17:47:20 -0000
On Sun, 23 Aug 2015, Patrik Fältström wrote: > Also, in my example the RRSet the MX is in is _unsigned_: > > example.com. IN MX 0 mail.example.net. > > 2. Delivery of the mail over TLS to mail.example.net. so example.com is unsigned? and mail.example.net is signed, and the TLSA record in example.net is signed. In that case, I believe TLS will be used but the TLSA cannot be verified, so while delivery happens over TLS, there is no way to verify the identity of the receiver because the MX record could have been spoofed. I think you are arguing that it should deliver TLS only after validation of the TLSA record for mail.example.net. That validation is a false sense of security though. I don't think mail delivery will be halted. since the example.com domain is unsigned, anonymous TLS will be used when available, and no verification will take place. I'm not sure what you are proposing to change? Paul
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder