Re: [dane] SMTP STARTTLS stripping in the wild

"John R Levine" <johnl@taugh.com> Fri, 14 November 2014 01:19 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D542D1A1A95 for <dane@ietfa.amsl.com>; Thu, 13 Nov 2014 17:19:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.137
X-Spam-Level:
X-Spam-Status: No, score=-1.137 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQaVUyVdNkW7 for <dane@ietfa.amsl.com>; Thu, 13 Nov 2014 17:19:24 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9E8F1A1A8D for <dane@ietf.org>; Thu, 13 Nov 2014 17:19:23 -0800 (PST)
Received: (qmail 51807 invoked from network); 14 Nov 2014 01:19:22 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=ca5e.5465589a.k1411; bh=ES2cNj7nFs3MVSsEuisxrT3wJz63YX3MHMOzJMW+HZ8=; b=TlOZsUeiHwkCkYD2MQlawMPglusm1XZ2qJ0iWItorhhVuLaeCOrZn43K0VlZzLkbeInWgXW8dx8RpU9n+PjCkfcg54hgwwogUAhvrs/F5U2zpWVqbzA7LhQPXlfjrAXNQesOOvLw94D118lnXq7xTTc0fPdRrTjVGx9SLS74JFzvDsGWzbyKd+pbrwUeTHvms7KM21I2/MOFe+fuvN2s510mip+eMO/jflEqLG8rhICf53AAEny19FFMakp0BV2G
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=ca5e.5465589a.k1411; bh=ES2cNj7nFs3MVSsEuisxrT3wJz63YX3MHMOzJMW+HZ8=; b=RLZEy6v34y+RsC940aFbwG5sfIjQFqhshKqGEcTcnGVumOFlHPuK6XzDghIM2TUDKd9s4PekcBoaaO7v2la+0UGbUGMWfysvIU2GqDlfTnDLV2X2Cb0DAqgEoU29f1aweyOwuUtMVN8X0YoSyUti0azkyYXUwuSWqcP3bMAs0yvHBdxSSRzZRzqj+8Wm2by+Y6fO6P7B2FaVJldiEqSEIzal/KKJLxF6Uw3Q/pwRzFyxbB07C2wpwkjZ8DBHaU5a
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 14 Nov 2014 01:19:22 -0000
Date: 13 Nov 2014 15:19:19 -1000
Message-ID: <alpine.OSX.2.11.1411131517400.1397@dhcp-bbe2.meeting.ietf.org>
From: "John R Levine" <johnl@taugh.com>
To: "Paul Wouters" <paul@nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1411132007180.2720@bofh.nohats.ca>
References: <20141114004313.8557.qmail@ary.lan> <alpine.LFD.2.10.1411132007180.2720@bofh.nohats.ca>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/OLoY-y6EQXbKjsuOK8sIbepeTcs
Cc: dane@ietf.org
Subject: Re: [dane] SMTP STARTTLS stripping in the wild
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 01:19:25 -0000

> You are wrongly assuming all must clients relay via another location.
> (yes I know, you say reality, I say morality)

As I pointed out in another context, an ISP can trivially create an 
EFF-compatible spam filter by hijacking all port 25 sessions to its own 
mail server, which does STARTTLS.

There are problems that need solving.  This is not one of them.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.