Re: [dane] Delivery of email if MX is not signed
"Patrik Fältström " <paf@frobbit.se> Mon, 24 August 2015 06:22 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FA201B30F1 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 23:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.661
X-Spam-Level:
X-Spam-Status: No, score=-0.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, J_CHICKENPOX_15=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XkGeBt9qc6iu for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 23:22:31 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91B061B30DA for <dane@ietf.org>; Sun, 23 Aug 2015 23:22:31 -0700 (PDT)
Received: from [172.20.10.3] (dyn-fg143.sth.netnod.se [77.72.226.143]) by mail.frobbit.se (Postfix) with ESMTPSA id BBD392074C for <dane@ietf.org>; Mon, 24 Aug 2015 08:22:28 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: dane@ietf.org
Date: Mon, 24 Aug 2015 08:22:27 +0200
Message-ID: <A1DB302D-2779-4A92-A3FE-AC9B6D357258@frobbit.se>
In-Reply-To: <20150824030015.GD9021@mournblade.imrryr.org>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se> <20150823185057.GJ5112@x28.adm.denic.de> <0E722F2F-510C-4060-86C2-41190F724DBA@frobbit.se> <alpine.LFD.2.20.1508231528300.8057@bofh.nohats.ca> <F03DF898-2E5D-491B-8315-03F4E0F53323@frobbit.se> <20150824030015.GD9021@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_93F697EE-F4AE-473B-BEBB-A321E7F5B5AB_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/KeokeVIhIkYs19Bc6J0HxznGpKg>
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 06:22:32 -0000
On 24 Aug 2015, at 5:00, Viktor Dukhovni wrote: > On Mon, Aug 24, 2015 at 04:51:19AM +0200, Patrik F?ltstr?m wrote: > >> What I read in the draft, and what I read in the paper Jan wrote after >> testing Postfix and what I read here in the responses I get is that DANE >> is trusted LESS than X.509 certs. > > This is a misapprehesion on your part. Thank you! >> 1. X.509 >> >> 1.1 Unsigned MX >> 1.2 cert validated from some CA that is trusted > > No. Non-DANE SMTP does unauthenticated TLS, and the cert is ignored, whether its trust chain verifies or not. > >> 2. DANE >> >> 2.1 Unsigned MX >> 2.2 cert validated via signed TLSA with DNSSEC chain of trust to some TA > > In both cases no authentication is performed. > >> I think they should be equivalent. > > They are equivalent, you get no protection from active attacks. Thanks! >> If they are, also in the implementation in postfix, then just tell me and I'll shut up. > > With "smtp_tls_security_level = dane", the two cases are treated identically, neither authenticate the peer, and both deliver the mail regardless of the content of the peer certificate if any. Excellent! That was what I was hoping. Then I misunderstood the tests Jan did. Patrik
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder