[dane] How a multiple tenant SMTP service provider implement the DANE

Harvy Chen <haigui.chen@gmail.com> Thu, 20 February 2020 03:27 UTC

Return-Path: <haigui.chen@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51CA1120099 for <dane@ietfa.amsl.com>; Wed, 19 Feb 2020 19:27:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRNaA3cx85zT for <dane@ietfa.amsl.com>; Wed, 19 Feb 2020 19:27:51 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD94F12001B for <dane@ietf.org>; Wed, 19 Feb 2020 19:27:50 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id r18so31959252edl.1 for <dane@ietf.org>; Wed, 19 Feb 2020 19:27:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=4LvEbkwNDgYHF3hksci6O6ZHH2jClS1TCtC1aLqBcM8=; b=pOIeeolegfMpAbplVKOMn67kb5WSGyEWsmF1xl/qIFm8h/NDFTqmG/MIE0C7IKLkqA o3WwmhMXemod+fk8+/5zpIoCPLp969x+YmEATnnOMVNUnzQL7awslZp6oGTWmxDMgp6K BKAM6QNDrY+GmxbrErPUnfbtbI+AzskVpMGoILz0mx69Cj+V+DG3vxZo+XzNiKvIqy8w eFePQLpM7EZotcxR1eDt7VmBCpCCpne/kdWLETQB6efI/prGDN5kUV+Dk9+a8gQ3QSQq nc4hHu0aFYBJO3/3A0bGN+ujVnq+kZuagey0aUz3VtMLndNm9U7zfw4K9BTxzNt73Gyq kq7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4LvEbkwNDgYHF3hksci6O6ZHH2jClS1TCtC1aLqBcM8=; b=O9Lol2/4C8TYFj2ZrTMpPB04PZst6EF8I+L8A2uvWuV0cSmGJ5SzAFx4iuybHjAi3o TWMwCu0vm2RFWyHxfuI2WYv31D2Cyft4hytbeJP1BdEOdgnp7k/e99bcujrD36ep244B RqArVPXGuCJmiWHShlFgwzDQydtZZAMMkQauF4F2LsdpS41qpwobK9LYgDgmFz2x2PWR /mhnSh6/1LCTgjeYj3euKXxPtTnFTk42cD9mH79Uo5zLIs40CXGou7Mfc7opgJ5NIngm NlVwtFl3FO2jJGZtJjG/az8ySV0R/ruzJJXwWJR8rBbj8zXnLjjUsiOHzTUbBUv4cGLk jAEg==
X-Gm-Message-State: APjAAAVDOQ8hpRb245XTVPspVZrBl+b3gKNPnD4mu1fnN+tyAjrCtH3U mS/8n8hOpi+EKec4/iemyJrJluWS+bqCNZAXuHULQqsa
X-Google-Smtp-Source: APXvYqwwXGAAzCrsrHbfere6jd5f5iyoCp+A7Gu+RS9zntBulXneZB35bJSEimaiucbFGjDINJDTLiCXxbN88ptclCU=
X-Received: by 2002:aa7:da13:: with SMTP id r19mr26083052eds.188.1582169269074; Wed, 19 Feb 2020 19:27:49 -0800 (PST)
MIME-Version: 1.0
From: Harvy Chen <haigui.chen@gmail.com>
Date: Thu, 20 Feb 2020 11:27:38 +0800
Message-ID: <CAMawrWfNG9C7BB6b+7jD__DAZ=CuDMFjfdRTFua3bXatBeDtWw@mail.gmail.com>
To: dane@ietf.org
Content-Type: multipart/alternative; boundary="000000000000420136059ef97d7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/w8QqaRcrNJPgq9pAOIRgCsyiIpo>
X-Mailman-Approved-At: Thu, 20 Feb 2020 18:43:44 -0800
Subject: [dane] How a multiple tenant SMTP service provider implement the DANE
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 04:58:43 -0000

Hi All,
  Once studied the DANE RFCs, for the multiple tenant service providers,
like this: Sender ----> Service -----> Rcpt. How can it implement the DANE
for inbound traffic? It requires the customer's (rcpt) certificate, in TLS
connection setup stage, we even don't know who is the rcpt, and cannot
decide to use which certificate.

Thanks,
Haigui