IETF Logo Mail Archive

Re: [dane] Delivery of email if MX is not signed

Paul Wouters <paul@nohats.ca> Mon, 24 August 2015 03:22 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70A821A700B for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 20:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6OEOiuxbwKM for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 20:22:10 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA2E71A700A for <dane@ietf.org>; Sun, 23 Aug 2015 20:22:10 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mzzJx0CgSzpK for <dane@ietf.org>; Mon, 24 Aug 2015 05:22:09 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=HAgaxtA4
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id KkdBdElQnjlz for <dane@ietf.org>; Mon, 24 Aug 2015 05:22:07 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dane@ietf.org>; Mon, 24 Aug 2015 05:22:06 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 56C7A800A0 for <dane@ietf.org>; Sun, 23 Aug 2015 23:22:05 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1440386525; bh=7Jgnzxy7zb+aK4KhBOQeGpEy1w5sFbCbWKwtU+FKvVo=; h=Date:From:To:Subject:In-Reply-To:References; b=HAgaxtA4BDQ6kcs2xm18VFS51akkG+WzzWBfVISjh9I8lPk8fm+/0lGhloZTP8q0I 7aJjMnjwiDKW/mGxBOvQdeExrMbzTIJDlFKmxSC5P++byaiPbuSaxN/GlvFOhSjuGj aEiAVE+MsnZWMv/YLNKnpiBqPoi3gjuHzOJ8Qico=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t7O3M4Ux018123 for <dane@ietf.org>; Sun, 23 Aug 2015 23:22:05 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 23 Aug 2015 23:22:04 -0400
From: Paul Wouters <paul@nohats.ca>
To: dane WG list <dane@ietf.org>
In-Reply-To: <20150824030015.GD9021@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.20.1508232316550.17964@bofh.nohats.ca>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se> <20150823185057.GJ5112@x28.adm.denic.de> <0E722F2F-510C-4060-86C2-41190F724DBA@frobbit.se> <alpine.LFD.2.20.1508231528300.8057@bofh.nohats.ca> <F03DF898-2E5D-491B-8315-03F4E0F53323@frobbit.se> <20150824030015.GD9021@mournblade.imrryr.org>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/FE2K9FENhRRAZErJfX9AdDoJWSk>
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 03:22:12 -0000

On Mon, 24 Aug 2015, Viktor Dukhovni wrote:

>> I want the validation of the cert used for the TLS connection to use the
>> same rules for trust regardless of whether DANE is used (i.e. signed and
>> properly validated TLSA record for the peer) or if X.509 cert/PKI from
>> some CA is in use.
>
> What rules would that be?  Without DANE or local configuration,
> SMTP does no authentication of the peer, for reasons explained in
> Section 1.3 of the draft, that we don't need to repeat.

Exactly.

>> 1.1 Unsigned MX
>> 1.2 cert validated from some CA that is trusted
>
> No.  Non-DANE SMTP does unauthenticated TLS, and the cert is ignored,
> whether its trust chain verifies or not.

I think what Patrik is asking for is that if the target mx hostname is
signed and has a TLSA record, why not validate that and do not use it
for mail delivery if the TLSA record fails? The logs would still NOT
say that the mail was delivered seucrely, because it was not as the MX
record itself was not secure.

I can't see a reason why not to do that, although I can also see why
implementations wouldn't care about this case and just skip all
certificate validation.

Paul

v2.23.0 | Report a Bug | By Email