IETF Logo Mail Archive

Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-aggregate-reporting-09.txt

Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 29 April 2023 00:48 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6613C1526F4 for <dmarc@ietfa.amsl.com>; Fri, 28 Apr 2023 17:48:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzrrL6khBkv8 for <dmarc@ietfa.amsl.com>; Fri, 28 Apr 2023 17:48:11 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80BC2C15257C for <dmarc@ietf.org>; Fri, 28 Apr 2023 17:48:11 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-4f00d41df22so13077326e87.1 for <dmarc@ietf.org>; Fri, 28 Apr 2023 17:48:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682729289; x=1685321289; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=/F0LrHsGfWzXvOr0BRCYZbjiOAX3xmMAcgk0JCma/Hw=; b=m595GQZcecSDjsVr5o5oqfFAa5kkLv8U4a9NtnzxxzqwnBVV0cOfwccRMjO+DbuCOO UgCRvsKWZurA99avgiJ37AR1fRzdzUlihPxYD7LCyLT73LylHEBpRMWBOFzUSWpekF3U ELpkVRzw08dEsG6QNlYlzHbGghGSwnCT84rrdISkR0tw7mA23/80dnDTwC52nr8RHlMc yN00FlGsiit/eQoeA16gRIIuiHDDeZl4gIuIti1aMQfsnRn/fdZ9CbTkMTRSwZ1mCfOP 62c6OZMtdEUdwVVTaxBQH6KXaT9uJ2V7Khl2n0YUe20jBGTAtxpkGfaY384ndmJ6l/qu 847g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682729289; x=1685321289; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/F0LrHsGfWzXvOr0BRCYZbjiOAX3xmMAcgk0JCma/Hw=; b=NHqXDixNpHa781lbnpfCUGho++SGyKSAvqjnizqqOXfW4KSdRkgBHlP4amFkwNGWxG gbdVgfw5SoTEj5SMAaqSBAPM8YLYKma3Lt364L8R1wokcJg2QAGJTE4I82F1VH705ryJ ea4h0ygjGgz4YALPEOhsKL+1Nk6tIav+PXOGijYxHNRxXKIkYix17c+qfBxiLqeu1eH3 tYHmVikjp5Cg4NlQTby/MWaNATOrb6BiBuyVf//TjS56t1Pq62Dc3P8Z5+y3NevGQN3o NR1V0nHq1QdCr5mwsgeuvaKStE9LYWhOfUYS6oMOd0PmlSIsF/k6tbavcTdc4AACWaZD XCSA==
X-Gm-Message-State: AC+VfDwvjPJC5tQLbgzyoFaqbUqRS5c0uX49hQRi6rgsfT0jcw0jtoMw jHLXYbFfey2vWd3egAUz4PbjmrFJiGxbTv9OXrElSYHh
X-Google-Smtp-Source: ACHHUZ7nuVYNosqBAcnFPRam7RqeInlqlKh4lbptH4f3qaS0GjBcD6dUu/JE9J5tsJsIo8V7/P6CPIcXgv8jPsLCLu8=
X-Received: by 2002:a2e:b989:0:b0:2a7:a4c4:41c0 with SMTP id p9-20020a2eb989000000b002a7a4c441c0mr3027586ljp.20.1682729288782; Fri, 28 Apr 2023 17:48:08 -0700 (PDT)
MIME-Version: 1.0
References: <168237954548.59430.5667500092734033047@ietfa.amsl.com> <MN2PR11MB4351A122FFE05229D0A5A493F7679@MN2PR11MB4351.namprd11.prod.outlook.com> <cd906cf7-187b-4c8d-8aee-aa9e1990d8b4@iecc.com> <CAJ4XoYeVH9JHc=03PkaR_btJ8oBk1YtBvwfY6wKMhUjC1qzC0g@mail.gmail.com> <1f0147d2-26e1-36cb-d3d7-2e669d3f95e3@iecc.com> <CAH48Zfy_tjzJzrpA_-ifZUSQN_oQtahSAjnARMxd=J1vmKd9WQ@mail.gmail.com> <469F5195-44DB-41EB-ACAF-0A809A89868F@icloud.com>
In-Reply-To: <469F5195-44DB-41EB-ACAF-0A809A89868F@icloud.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 28 Apr 2023 20:47:57 -0400
Message-ID: <CAH48ZfxChTepgRUHK7-j0+5nZtn6OMF=twTYnmMf7-PKPXqRRQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082d8c805fa6ef1c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/DXLw33wHHAmhGoNmPYO45WPv0eM>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-aggregate-reporting-09.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Apr 2023 00:48:15 -0000

I was not proposing what other people should do, nor was I proposing a
standards change.   I was just observing that we always have choices (with
supporting software.)

In this case, if a remote correspondent cannot do acceptable TLS
encryption, then the local correspondent always has the option of
terminating the connection (cleanly), and communicating another way or not
communicating at all.

I was describing what was already in place.  Our organization does not send
outbound mail without encryption.  If the correspondent cannot do TLS, we
communicate by another method.

Some MailFrom domains use encryption so reliably that you can block certain
forms of impersonation simply by requiring encryption on inbound messages
from those domains.

No futures.  No protocol redesign.  Existing features of existing products.

Doug Foster

On Fri, Apr 28, 2023 at 5:24 PM Hector Santos <sant9442@icloud.com> wrote:

> Douglas,
>
> In general, you can’t impose or mandate rules under PO RT 25 unsolicited,
> unauthenticated sessions. You can do this with ESMTP AUTH a.k.a SUBMISSION
> Protocol (RFC????) which is Port 587. Under this port, you can mandate more
> Authentication/Authorization than with Port 25 and not using ESMTP AUTH.
>
> So for example, for PCI, you must use A/A mechanisms probably under Port
> 587 because it can be mandated. Not under Port 25.
>
> —
> HLS
>
>
> On Apr 27, 2023, at 7:04 AM, Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
> There are options on TLS failure.
>
> Mandatory TLS is actually pretty common, since PCI DSS, HIPAA and GDBR
> have all been interpreted as requiring TLS on email.    For outbound mail,
> our MTA is configured to drop the connection if encryption cannot be
> established.  I think this configuration option has become pretty common in
> commercial products.    Domains that cannot accept encrypted traffic are
> handled with secure web relay (Zixmail or one of its many imitators.)  In
> the case of a report recipient that cannot accept TLS traffic, we would
> simply drop the destination.
>
> For inbound mail, my organization has concluded that data security is the
> responsibility of the sender, so we do accept unencrypted messages.
>
> By and large, mandatory TLS will be implemented consistently, rather than
> on a specific message like a DMARC report, so I don't know how much needs
> to be said in this document.
>
> Doug
>
> On Tue, Apr 25, 2023 at 12:29 PM John R. Levine <johnl@iecc.com> wrote:
>
>> >> Since the only mechanism is mail and nobody's going to S/MIME encrypt
>> >> their reports, I suggest just deleting it.
>> >
>> > TLS vs not TLS.
>>
>> I suppose, but that's not up to the report sender.  If I say
>> "rua=mailto:report@cruddy.org", and the MX for cruddy.org doesn't do
>> STARTTLS, what are you going to do?
>>
>> R's,
>> John
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>
>

v2.23.0 | Report a Bug | By Email