IETF Logo Mail Archive

Re: [Emailcore] Issue 80 - Clarify where the protocol stands with respect to submission and TLS issues

Hector Santos <hsantos@isdg.net> Wed, 06 December 2023 19:23 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: emailcore@ietfa.amsl.com
Delivered-To: emailcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C227C15107F for <emailcore@ietfa.amsl.com>; Wed, 6 Dec 2023 11:23:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="Y3HkHkqV"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="fIXLlXdY"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ya8zGK6nCDH2 for <emailcore@ietfa.amsl.com>; Wed, 6 Dec 2023 11:23:16 -0800 (PST)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA5F5C151082 for <emailcore@ietf.org>; Wed, 6 Dec 2023 11:23:16 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=13182; t=1701890589; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=LeTukfOE5Z2NpqSQXliBRCGSWX6mQdi /UfuokXfalwc=; b=Y3HkHkqVStPwqwnX2mg5hecuXvmC702UFy21SDIYvdOHp7M RIelFfGHcw5X3DxMgF6pie5yw5UjR9xjAhGx+CcSjf//uI/hFoT2pQITKXCsQKyK +7sEOJjICO6DUYidj03vLK1qqczjAQ1/lif/95YHL+lPDpLrSFz2PmZjB+Ms=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.14) for emailcore@ietf.org; Wed, 06 Dec 2023 14:23:09 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.14) with ESMTP id 808101071.1.12596; Wed, 06 Dec 2023 14:23:08 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=13182; t=1701890587; h=Received:Received: From:Message-Id:Subject:Date:To:Organization:List-ID; bh=LeTukfO E5Z2NpqSQXliBRCGSWX6mQdi/UfuokXfalwc=; b=fIXLlXdYm9t6LbOSsRSGku0 s2wkypJVSVxfeUBMzjsFgZOsobOk38GyZBJthFhsNgM77eUouXffknlDo7CxD6XJ BL0QujeoJwHtHTr58WAEi89xKdb8ryhAOLgIf/VDTZg77TKwQOQqPnwOcsn1I423 7W/b0GoWBn0Pw13nSxpw=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for emailcore@ietf.org; Wed, 06 Dec 2023 14:23:07 -0500
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 1254283774.1.12524; Wed, 06 Dec 2023 14:23:05 -0500
From: Hector Santos <hsantos@isdg.net>
Message-Id: <FD9F7C5F-C8B9-4B69-83ED-59C460FC2C57@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F2B01209-8C61-4E0F-A9F2-74DB861E60A3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Wed, 06 Dec 2023 14:22:54 -0500
In-Reply-To: <CAHej_8nuY3vvfs_=_67jtHbeSd-K=Epi1-nOspD=B5raFj5xig@mail.gmail.com>
Cc: EmailCore WG <emailcore@ietf.org>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
References: <CAHej_8nuY3vvfs_=_67jtHbeSd-K=Epi1-nOspD=B5raFj5xig@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emailcore/s2n158xgQ820LlE1DdhcujHPH_Q>
Subject: Re: [Emailcore] Issue 80 - Clarify where the protocol stands with respect to submission and TLS issues
X-BeenThere: emailcore@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: EMAILCORE proposed working group list <emailcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emailcore>, <mailto:emailcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emailcore/>
List-Post: <mailto:emailcore@ietf.org>
List-Help: <mailto:emailcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emailcore>, <mailto:emailcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Dec 2023 19:23:21 -0000

If I may,  I wish to add an implementation antidote note. In our ongoing battle to control SMTP attacks, we recently updated our SMTP server to required TLS for AUTH.   In other words,  AUTH is not presented in initial EHLO response if the session is not encrypted (by issuing STARTTLS first). So far, session trace logs show it has made a difference, albeit small, a difference nonetheless.    I do wonder how other SMTP servers behave.  It may depend on SASL methods available (plain text vs encrypted).


All the best,
Hector Santos


> On Nov 30, 2023, at 3:14 PM, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
> 
> Greetings.
> 
> The subject issue (https://github.com/ietf-wg-emailcore/emailcore/issues/80) was discussed during the 29 November 2023 interim. The initial comments from November 2022 in the Github issue read as follows:
> 
> submission on port 587
> submission on port 465
> TLS relay on a port different from 25 (whenever)
> Recommendations about general use of transport layer (hop by hop)
> security, particularly encryption including consideration of RFC
> 8314.
> The MTA-to-MTA relay case is now covered by now closed ticket #54 <https://github.com/ietf-wg-emailcore/emailcore/issues/54>. Do we need to say anything about submission and RFC 8314?
> 
> The conversation at the interim seemed to coalesce around the idea that section 6 of the current version of the A/S (https://www.ietf.org/archive/id/draft-ietf-emailcore-as-08.html#name-confidentiality-and-authent) addresses this topic save for no mention of port 465. 
> 
> It is recorded in the comments for this issue that the A/S should be updated to acknowledge the existence of port 465 and the ticket should be closed. Specifically, this sentence in section 6.4:
> 
> SMTP AUTH defines a method for a client to identify itself to a Message Submission Agent (MSA) when presenting a message for transmission, usually using port 587 rather than the traditional port 25.
> 
> should be updated to read as follows:
> 
> SMTP AUTH defines a method for a client to identify itself to a Message Submission Agent (MSA) when presenting a message for transmission, usually using ports 465 or 587 rather than the traditional port 25.
> 
> Please consider what was recorded from the interim and either declare your support for making this change to the A/S and closing this issue or provide candidate text for insertion into the next revision of the A/S.
> 
> Thank you.
> 
> -- 
> Todd Herr  | Technical Director, Standards & Ecosystem
> e: todd.herr@valimail.com <mailto:todd.herr@valimail.com>
> p: 703-220-4153
> m: 703.220.4153
> 
> This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
> -- 
> Emailcore mailing list
> Emailcore@ietf.org
> https://www.ietf.org/mailman/listinfo/emailcore

v2.23.0 | Report a Bug | By Email