IETF Logo Mail Archive

Re: [dane] Delivery of email if MX is not signed

"Patrik Fältström " <paf@frobbit.se> Mon, 24 August 2015 02:57 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B87171A00E4 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 19:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wOqZB2MFF594 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 19:57:09 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A8CE1A00E2 for <dane@ietf.org>; Sun, 23 Aug 2015 19:57:09 -0700 (PDT)
Received: from [192.168.1.12] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id 09C9822733 for <dane@ietf.org>; Mon, 24 Aug 2015 04:57:08 +0200 (CEST)
From: Patrik Fältström <paf@frobbit.se>
To: dane@ietf.org
Date: Mon, 24 Aug 2015 04:57:07 +0200
Message-ID: <713F9852-A7C3-440B-AC9C-75417A79C9FE@frobbit.se>
In-Reply-To: <20150823231726.GC9021@mournblade.imrryr.org>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <alpine.LFD.2.20.1508231343110.26943@bofh.nohats.ca> <F2977CCF-CE1E-46F1-A08E-4A6D77EA3A74@frobbit.se> <alpine.LFD.2.20.1508231411280.26943@bofh.nohats.ca> <C6382564-E6D5-4461-902A-6E12ED78296C@frobbit.se> <20150823185057.GJ5112@x28.adm.denic.de> <0E722F2F-510C-4060-86C2-41190F724DBA@frobbit.se> <20150823231726.GC9021@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_D1F0E1B5-24E3-47FF-9E06-6C4CC0088DF3_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/ydXnZxiYe4gkNX6T4nqoAyHCdIE>
Subject: Re: [dane] Delivery of email if MX is not signed
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 02:57:10 -0000

On 24 Aug 2015, at 1:17, Viktor Dukhovni wrote:

> 5. Unsigned MX, Signed A/AAAA, TLS used with cert validated with signed TLSA (i.e. trusted cert)
>
>
> This does not provide adequate MiTM protection, but the draft does
> not rule out clients that might do this, rather it does not specify
> use of DANE for this case.

Good, then I am not crazy! :-)

> If enough users want this, such features
> could be added to Postfix.  The delivery is not immune to active
> attacks, but arguably somewhat stronger than ignoring such TLSA
> RRs.
>
> The primary use-case would be a provider that is MX hosting lots
> of domains, many of which are not DNSSEC signed, but the MX hosts
> are.

Exactly.

I think it is important to be able to tell people they SHOULD ABSOLUTELY get DANE for their port 25/465 incoming SMTP servers, regardless of whether they have X.509 certs for them or not. When hosting providers have TLSA records, then it is only up to the domain holder in such hosting environments to sign their zone to get complete protection.

I think it would be unfortunate if we end up in a catch 22 here as well regarding DNSSEC deployment.

   Patrik

v2.23.0 | Report a Bug | By Email