Re: [dane] Delivery of email if MX is not signed
"Patrik Fältström " <paf@frobbit.se> Sun, 23 August 2015 17:59 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 925801B29ED for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 10:59:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlEhtB1opB1S for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 10:59:40 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C85B1B29EC for <dane@ietf.org>; Sun, 23 Aug 2015 10:59:40 -0700 (PDT)
Received: from [192.165.72.22] (ibin.frobbit.se [192.165.72.22]) by mail.frobbit.se (Postfix) with ESMTPSA id 2C649200BC; Sun, 23 Aug 2015 19:59:38 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: Paul Wouters <paul@nohats.ca>
Date: Sun, 23 Aug 2015 19:59:37 +0200
Message-ID: <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se>
In-Reply-To: <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_F8B61281-89CB-4ED9-8A01-FFCA12D8601D_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/jxlPD3Yg1b0xlSVROmqJ5Fj_HSc>
Cc: dane@ietf.org
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 17:59:41 -0000
On 23 Aug 2015, at 19:47, Paul Wouters wrote: > On Sun, 23 Aug 2015, Patrik Fältström wrote: > >> Also, in my example the RRSet the MX is in is _unsigned_: >> >> example.com. IN MX 0 mail.example.net. >> >> 2. Delivery of the mail over TLS to mail.example.net. > > so example.com is unsigned? and mail.example.net is signed, and the TLSA > record in example.net is signed. Correct. > In that case, I believe TLS will be used but the TLSA cannot be > verified, so while delivery happens over TLS, there is no way to > verify the identity of the receiver because the MX record could have > been spoofed. Excuse me for being slow here. What do you mean by "the TLSA cannot be verified"? To be more precise: Unsigned RRSET contain: example.net. IN MX 0 mail.example.com. Signed (and properly validated) RRSETs that contains these two records and a few more: mail.example.com. IN A 192.168.1.1 _426._tcp.mail.example.om. IN TLSA .... I.e. if only looking at mail.example.com. and _426._tcp.mail.example.com. that is a 100% properly setup DANE "thing". > I think you are arguing that it should deliver TLS only after validation > of the TLSA record for mail.example.net. That validation is a false > sense of security though. > > I don't think mail delivery will be halted. since the example.com domain > is unsigned, anonymous TLS will be used when available, and no > verification will take place. > > I'm not sure what you are proposing to change? I am not sure I am proposing a change. :-) What seems to have happened in the tests that Jan did was that IF the MX was not signed, BUT the TLSA was signed and validated correctly, THEN postfix did _NOT_ deliver the email. At all. I think that behaviour is wrong, and am unsure whether it is a bug in postfix or whether it is a bug in the spec. Patrik
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder