IETF Logo Mail Archive

Re: [ietf-smtp] How to encrypt SMTP?

"John R Levine" <johnl@taugh.com> Sun, 27 October 2019 00:47 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF7141200FF for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 17:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=u3nUp7dO; dkim=pass (1536-bit key) header.d=taugh.com header.b=kW/eYeyJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pyGt5gjmj11u for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 17:47:45 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1DE81200B3 for <ietf-smtp@ietf.org>; Sat, 26 Oct 2019 17:47:44 -0700 (PDT)
Received: (qmail 9904 invoked from network); 27 Oct 2019 00:47:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=26ae.5db4e92e.k1910; i=johnl-iecc.com@submit.iecc.com; bh=JgeAOIdrE3x9KKuG5u7Qj9PVIddYEi+hZOW6Ca95ChM=; b=u3nUp7dOz67qxnmSNomD1HmmSAhAva2+J1NQNqZbb5+xT8VfPVN8AkSgpzwX2KfornV2iNz6VSgN3imYBFQoHyHLsdJPf1OJkeYHw38Y5T8FMR0SePsfePfEJF+o/4frwJCEEttGtqw8GE+ayXW5FtCqGQzucTGK1DmWnGdSDNKwC31jhh4zAMSGjS0EAq8jfyC3hywqHTbGsyQJyfWn2vREv9/DjA9xEZOuA4urbPZsPwmbEom9hc2QzAGBtpFT
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=26ae.5db4e92e.k1910; olt=johnl-iecc.com@submit.iecc.com; bh=JgeAOIdrE3x9KKuG5u7Qj9PVIddYEi+hZOW6Ca95ChM=; b=kW/eYeyJ2ldhlIp/s6S+Re16GgRDHKzvQXVCR7I/pbcgqYfdZQr+9o1hraZZKiSndQj2V1e/xWw8+ERkKTVzfcGuQVtdcKZ0PTj0vKZCIZtLCgadwmB+XB1FvIgfgy0+2/OP4EJw/+dhqO7lWWBp5oCVV9AAroVd5pJU8tc0K/YFB+/VjetKsBTxXElu/7ssj2XmygVI+8dahGifQ+4XebwEdtv4lYSf3RTpcmt2TLhhCmLWnmx5T8q+4Nlif8qj
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 27 Oct 2019 00:47:42 -0000
Date: Sat, 26 Oct 2019 20:47:42 -0400
Message-ID: <alpine.OSX.2.21.99999.368.1910262041440.10592@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Keith Moore <moore@network-heretics.com>
Cc: ietf-smtp@ietf.org
In-Reply-To: <344aaf1f-df91-ffb9-38bc-527d159a2ca6@network-heretics.com>
References: <20191027002554.260ABD7437F@ary.qy> <344aaf1f-df91-ffb9-38bc-527d159a2ca6@network-heretics.com>
User-Agent: Alpine 2.21.99999 (OSX 368 2019-09-06)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-970263827-1572137262=:10592"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/0J3pn7Ji2U48Y5Cu9VbBakq0llY>
Subject: Re: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Oct 2019 00:47:47 -0000

> Maybe it's not necessary, but I don't know how widely mta-sts is being 
> required.   What are the barriers to server operators turning on MTA-STS 
> everywhere?

It's pretty easy to deploy for your inbound servers, publish some DNS 
records and set up some trivial web pages. (See 
https://mta-sts.taugh.com/.well-known/mta-sts.txt)

For outbound mail it's somewhat harder, you have to look at what's on the 
web page and decide whether it matches what the MTA is seeing.

I expect the main barrier is that large scale operators see failures on 
legit traffic that would be invisible to us little guys, but enough of 
them that they're not ready to accept that level of breakage.  A useful 
thing that mta-sts borrows from DMARC is reports about what would have 
broken if it were enforced, so they can try and figure it out and fix it.

I believe it's the same reason that Google doesn't sign their domains with 
DNSSEC.  They certainly could if they wanted to.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email