IETF Logo Mail Archive

Re: [dane] Delivery of email if MX is not signed

"Patrik Fältström " <paf@frobbit.se> Sun, 23 August 2015 19:07 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1F21B2A51 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 12:07:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYVcnSTYHXYu for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 12:07:13 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29DEA1B2A38 for <dane@ietf.org>; Sun, 23 Aug 2015 12:07:13 -0700 (PDT)
Received: from [192.168.1.12] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id 5C4D620025; Sun, 23 Aug 2015 21:07:11 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: Peter Koch <pk@DENIC.DE>
Date: Sun, 23 Aug 2015 21:07:10 +0200
Message-ID: <0E722F2F-510C-4060-86C2-41190F724DBA@frobbit.se>
In-Reply-To: <20150823185057.GJ5112@x28.adm.denic.de>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se> <20150823185057.GJ5112@x28.adm.denic.de>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_962F0AF4-B498-4A20-AE5A-2B579DCC209A_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/UEDYULqqu2JgB7cOJ8p5EXj95Z4>
Cc: dane@ietf.org
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 19:07:14 -0000

On 23 Aug 2015, at 20:50, Peter Koch wrote:

> If we'd only be worried about a passive attacker, we'd not
> address the spoofed MX RR, but we'd want the SMTP connection
> encrypted.  In that case (passive only), opportunistic (pre DANE)
> STARTTLS would be sufficient.
>
> If we'd worry enough about active attacks, we'd want the endpoint
> identity verified (thus DANE[1]) as well as its capabilities
> (thus DANE[2]), and at the same time we'd probably prefer (or
> even demand) signed/validated MX RRs.
>
> Apparently there are multiple potential attackers of different background,
> motivation, and means. If your enemy is the helpful corporate
> firewall that intercepts SMTP to 'optimize away' STARTTLS, maybe
> its next version will 'enhance' MX responses?

Agree.

What I think I see in the draft is that "DANE and SMTP" is either "on" or "off", and I want more shades of gray.

1. Unsigned MX, Unsigned A/AAAA, not using TLS at all

2. Unsigned MX, Unsigned A/AAAA, TLS used with self-signed cert

3. Unsigned MX, Unsigned A/AAAA, TLS used with cert signed by CA (i.e. trusted cert)

4. Unsigned MX, Signed A/AAAA, TLS used with cert signed by CA (i.e. trusted cert)

5. Unsigned MX, Signed A/AAAA, TLS used with cert validated with signed TLSA (i.e. trusted cert)

6. Signed MX, Signed A/AAAA, TLS used with cert validated with signed TLSA


I think 4 and 5 are equivalent, both better than 3 (which is better than 1, 2 and 3).

And of course there are more permutations, specifically with signed MX, but the for me interesting alternatives are the ones above, where MX is unsigned.

   Patrik

v2.23.0 | Report a Bug | By Email