IETF Logo Mail Archive

Re: [dane] Delivery of email if MX is not signed

"Patrik Fältström " <paf@frobbit.se> Mon, 24 August 2015 02:53 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8F71A004B for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 19:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8NEnTH50KjX for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 19:53:54 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A53F1A002C for <dane@ietf.org>; Sun, 23 Aug 2015 19:53:54 -0700 (PDT)
Received: from [192.168.1.12] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id BAF56206BD for <dane@ietf.org>; Mon, 24 Aug 2015 04:53:52 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: dane@ietf.org
Date: Mon, 24 Aug 2015 04:53:52 +0200
Message-ID: <63F22325-1D0B-4801-B7B7-712A96E701F3@frobbit.se>
In-Reply-To: <20150823230916.GB9021@mournblade.imrryr.org>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <20150823230916.GB9021@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_5B508FA7-6844-4E6A-8E9B-F8B5A87B9FAC_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/OkVwjU7JN8YiB53b50yyvQ9rz30>
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 02:53:56 -0000

On 24 Aug 2015, at 1:09, Viktor Dukhovni wrote:

> On Sun, Aug 23, 2015 at 02:18:39PM -0400, Paul Wouters wrote:
>
>>> mail.example.com. IN A 192.168.1.1
>>> _426._tcp.mail.example.om. IN TLSA ....
>
> _25._tcp for SMTP, no idea where _426 is from.

Sorry, 465.

But we could as well use 25 in the example.

>>> What seems to have happened in the tests that Jan did was that IF the MX
>>> was not signed, BUT the TLSA was signed and validated correctly, THEN
>>> postfix did _NOT_ deliver the email. At all.
>
> The tests were badly executed or profoundly misinterpreted.
>
>>> I think that behaviour is wrong, and am unsure whether it is a bug in
>>> postfix or whether it is a bug in the spec.
>
> Neither.
>
>>> That would be a bug in postfix? The spec states:
>
> Would be, but is not, because Postfix does not behave as claimed.

Ok, thanks!!!

   paf

v2.23.0 | Report a Bug | By Email