Re: [dane] Delivery of email if MX is not signed
Peter Koch <pk@DENIC.DE> Sun, 23 August 2015 18:51 UTC
Return-Path: <peter@denic.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6BC21B2A37 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 11:51:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Level:
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AaLqiPxBF0Pi for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 11:51:06 -0700 (PDT)
Received: from office.denic.de (office.denic.de [81.91.160.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3D881B2A35 for <dane@ietf.org>; Sun, 23 Aug 2015 11:51:05 -0700 (PDT)
Received: from office.denic.de (mailout-6.osl.denic.de [10.122.34.32]) by office.denic.de (Postfix) with ESMTP id 8C9911FB7E; Sun, 23 Aug 2015 20:50:58 +0200 (CEST)
Received: from x27.adm.denic.de (x28.fra2.if.denic.de [10.122.64.17]) by office.denic.de with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) id 1ZTaM6-00025B-7u; Sun, 23 Aug 2015 20:50:58 +0200
Received: from localhost by x27.adm.denic.de with local id 1ZTaM5-00051a-Uc; Sun, 23 Aug 2015 20:50:57 +0200
Date: Sun, 23 Aug 2015 20:50:57 +0200
From: Peter Koch <pk@DENIC.DE>
To: Patrik Fältström <paf@frobbit.se>
Message-ID: <20150823185057.GJ5112@x28.adm.denic.de>
Mail-Followup-To: Patrik Fältström <paf@frobbit.se>, dane@ietf.org
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se>
User-Agent: Mutt/1.4.2.3i
Sender: Peter Koch <peter@denic.de>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/YMF_LUBIwj95bSJ5Y3UjPDVgXOw>
Cc: dane@ietf.org
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 18:51:08 -0000
On Sun, Aug 23, 2015 at 08:30:10PM +0200, Patrik Fältström wrote: > This is a bit confusing to me. I.e. the terminology is confusing. To me, [2] has proper DANE validated TLS available for the SMTP connection. > > But I completely agree there is an MiM possible for the unsigned MX. Just like we have today. And why we want DNSSEC deployed. If we'd only be worried about a passive attacker, we'd not address the spoofed MX RR, but we'd want the SMTP connection encrypted. In that case (passive only), opportunistic (pre DANE) STARTTLS would be sufficient. If we'd worry enough about active attacks, we'd want the endpoint identity verified (thus DANE[1]) as well as its capabilities (thus DANE[2]), and at the same time we'd probably prefer (or even demand) signed/validated MX RRs. Apparently there are multiple potential attackers of different background, motivation, and means. If your enemy is the helpful corporate firewall that intercepts SMTP to 'optimize away' STARTTLS, maybe its next version will 'enhance' MX responses? -Peter
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder