Re: [dane] Delivery of email if MX is not signed
Paul Wouters <paul@nohats.ca> Sun, 23 August 2015 18:18 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E4811AC3C1 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 11:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.71
X-Spam-Level:
X-Spam-Status: No, score=-1.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouCQsBIXSjcs for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 11:18:43 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83B3B1AC3B3 for <dane@ietf.org>; Sun, 23 Aug 2015 11:18:43 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mzlFs3ylrz1K2; Sun, 23 Aug 2015 20:18:41 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=PYicq57b
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id eAUd3pvfBIP9; Sun, 23 Aug 2015 20:18:40 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 23 Aug 2015 20:18:40 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id AE1838009C; Sun, 23 Aug 2015 14:18:39 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1440353919; bh=VD7csweyM5aog2bv2aF9SOkUcb6aDgKMStaC9+4c0Lk=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=PYicq57b7JGKomZd+/zhJWQdvBbzHhTAK7gUW61RFGlzfe/EY2uAdWjzOhEY70jBz 7hVf8KawHxrHVEx4hK50C1EPDi7udeSMyIIsyAOuUIypLdFF4q1pmj0qMncyVOlhdn 67K2BzAOp9/scZst1tQzCJDI1PeSLYt23E79FsMU=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t7NIIdS5005985; Sun, 23 Aug 2015 14:18:39 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 23 Aug 2015 14:18:39 -0400
From: Paul Wouters <paul@nohats.ca>
To: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se>
Message-ID: <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/uYmOhn6NWe8Hf2ySmJ2v7VkOyoM>
Cc: dane@ietf.org
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 18:18:45 -0000
On Sun, 23 Aug 2015, Patrik Fältström wrote: >>> 2. Delivery of the mail over TLS to mail.example.net. >> >> so example.com is unsigned? and mail.example.net is signed, and the TLSA >> record in example.net is signed. > > Correct. > >> In that case, I believe TLS will be used but the TLSA cannot be >> verified, so while delivery happens over TLS, there is no way to >> verify the identity of the receiver because the MX record could have >> been spoofed. > > Excuse me for being slow here. What do you mean by "the TLSA cannot be verified"? > > To be more precise: > > Unsigned RRSET contain: > > example.net. IN MX 0 mail.example.com. > > Signed (and properly validated) RRSETs that contains these two records and a few more: > > mail.example.com. IN A 192.168.1.1 > _426._tcp.mail.example.om. IN TLSA .... so anyone can spoof: example.net. IN MX 0 mail.example.com. pretending "mail.example.com." does not give you more security. What would you do if you saw: example.net. IN MX 0 evil.nohats.ca with proper TLSA records for evil.nohats.ca? > I.e. if only looking at mail.example.com. and _426._tcp.mail.example.com. that is a 100% properly setup DANE "thing". But nothing in that statement securely tells you anything about example.net. >> I don't think mail delivery will be halted. since the example.com domain >> is unsigned, anonymous TLS will be used when available, and no >> verification will take place. >> >> I'm not sure what you are proposing to change? > > I am not sure I am proposing a change. :-) > > What seems to have happened in the tests that Jan did was that IF the MX was not signed, BUT the TLSA was signed and validated correctly, THEN postfix did _NOT_ deliver the email. At all. > > I think that behaviour is wrong, and am unsure whether it is a bug in postfix or whether it is a bug in the spec. That would be a bug in postfix? The spec states: All "insecure" RRSets MUST be handled identically: in either case unvalidated data for the query domain is all that is and can be available, and authentication using the data is impossible. It does not state to not deliver email, it just states there is no authentication possible, so deliver without dane authentication. Paul
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder