IETF Logo Mail Archive

Re: [dane] Delivery of email if MX is not signed

lst_hoe02@kwsoft.de Sun, 23 August 2015 18:46 UTC

Return-Path: <lst_hoe02@kwsoft.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3BCE1B2A2A for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 11:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.26
X-Spam-Level:
X-Spam-Status: No, score=-2.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55gwP_P9V1tr for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 11:46:25 -0700 (PDT)
Received: from mailer.kwsoft.de (mailer.kwsoft.de [213.164.67.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A3491B2A29 for <dane@ietf.org>; Sun, 23 Aug 2015 11:46:25 -0700 (PDT)
Received: from mailer (localhost [127.0.0.1]) by mailer.kwsoft.de (Postfix) with ESMTP id E6CF31810B2 for <dane@ietf.org>; Sun, 23 Aug 2015 20:46:23 +0200 (CEST)
Received: from ftp (ftp.kwsoft.de [213.164.67.83]) by mailer.kwsoft.de (Postfix) with ESMTPS id 46A6B1811BF for <dane@ietf.org>; Sun, 23 Aug 2015 20:46:23 +0200 (CEST)
Received: from p54986CB5.dip0.t-ipconnect.de (p54986CB5.dip0.t-ipconnect.de [84.152.108.181]) by webmail.kwsoft.de (Horde Framework) with HTTP; Sun, 23 Aug 2015 20:46:23 +0200
Date: Sun, 23 Aug 2015 20:46:23 +0200
From: lst_hoe02@kwsoft.de
To: dane@ietf.org
Message-ID: <20150823204623.Horde.i2QJGPg9ASEBX9mspfXLZc-@webmail.kwsoft.de>
In-Reply-To: <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-1"; boundary="----=_Part_881_1151073186.1440355583852"
User-Agent: Horde Application Framework 5
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/lkYVDMjHpZ5uIuZy3AKCIRvpedM>
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 18:46:27 -0000

Zitat von Patrik Fältström <paf@frobbit.se>:

> On 23 Aug 2015, at 20:18, Paul Wouters wrote:
>
>>> Unsigned RRSET contain:
>>>
>>> example.net. IN MX 0 mail.example.com.
>>>
>>> Signed (and properly validated) RRSETs that contains these two  
>>> records and a few more:
>>>
>>> mail.example.com. IN A 192.168.1.1
>>> _426._tcp.mail.example.om. IN TLSA ....
>>
>> so anyone can spoof:
>>
>> example.net. IN MX 0 mail.example.com.
>
> Yes, just like today.
>
>> pretending "mail.example.com." does not give you more security. What
>> would you do if you saw:
>>
>> example.net. IN MX 0 evil.nohats.ca
>>
>> with proper TLSA records for evil.nohats.ca?
>
> This is what we have today.
>
> I would deliver over the TLS secured connection.
>
> The only way to secure that is to DNSSEC sign mail.example.net.
>
>>> I.e. if only looking at mail.example.com. and  
>>> _426._tcp.mail.example.com. that is a 100% properly setup DANE  
>>> "thing".
>>
>> But nothing in that statement securely tells you anything about example.net.
>
> Correct.
>
>>> I think that behaviour is wrong, and am unsure whether it is a bug  
>>> in postfix or whether it is a bug in the spec.
>>
>> That would be a bug in postfix? The spec states:
>>
>> All
>> "insecure" RRSets MUST be handled identically: in either case
>> unvalidated data for the query domain is all that is and can be
>> available, and authentication using the data is impossible.
>>
>> It does not state to not deliver email, it just states there is no
>> authentication possible, so deliver without dane authentication.
>
> Ok, I think what I have issues with is that I think "dane  
> authentication" is not black or white.
>
> We have at least:
>
> 1. Signed and validated MX, signed and validated TLSA
>
> 2. Unsigned MX, signed and validated TLSA
>
> 3. Unsigned MX, no TLSA, unsigned A/AAAA
>
> Then we have all of the failed situations, which include:
>
> 4. Signed, but broken signatures, on MX, signed and validated TLSA
>
> 5. Signed, but broken signatures, on MX, signed but broken signatures on TLSA
>
> 6. Unsigned MX, signed but broken signatures on TLSA
>
> Etc
>
> So if you look at 1, 2 and 3, if I understand you correctly, [2] is  
> not "DANE authenticated" even if the TLS connection has properly  
> signed and validated TLSA record?
>
> This is a bit confusing to me. I.e. the terminology is confusing. To  
> me, [2] has proper DANE validated TLS available for the SMTP  
> connection.
>
> But I completely agree there is an MiM possible for the unsigned MX.  
> Just like we have today. And why we want DNSSEC deployed.

You are https biased i guess. With an unsigned MX your secure chain is  
broken because the target you try to reach by an E-Mail address is  
directed to a target by an "unsecure" link. If the unsecure resolved  
target is then secured doesn't matter because you might be already on  
the wrong track.

Security is only as strong as the weakest point in the chain.

Regards

Andreas

v2.23.0 | Report a Bug | By Email