IETF Logo Mail Archive

Re: [ietf-smtp] why are we reinventing mta-sts ?

Keith Moore <moore@network-heretics.com> Mon, 07 October 2019 13:50 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67894120818 for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 06:50:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d1vXNpPcRf6u for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 06:50:41 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64CD120020 for <ietf-smtp@ietf.org>; Mon, 7 Oct 2019 06:50:40 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 1B23821CFD; Mon, 7 Oct 2019 09:50:40 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 07 Oct 2019 09:50:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=9ySJU8 itHbt03tV9aiCZNaOS+xi7b33umIe4KJR0fEw=; b=khMXjo4rTw2W9+4KubGWwI nv1jomvLvtQEGXoFiDowuyUJkAm1MHnphppUI0dX0+7lkmgjPGWL6i3KyST8Pkgq S+pQYt/XJGPkQNpSS0fJ/MHnFycMMYHzuBnMsA87fBiF80RE3MZJTALqAa4MOpsu mpkjeOst5kDOnnmeK8/pqU46GzvdR3+DNrvZcrC8+jfSYnskNb8jujmrwUeCjNHI zKGHyBkrZdWfmcyIsCnLCMo90gdbiuPBzS8Vaiy9dICpnl7qvIraVy35VG+rAEte iURrg70NVokdvkyjiho6zIdiXsDE8zZTB0onG1S3N1Kz8jC/50aQ36RkTWYS3BPg ==
X-ME-Sender: <xms:r0KbXf1x4S0JRonAK00lOwmcsCya6JyleC83J5eV0UwMGdJghH47iQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrheejgdehhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtderre dtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthifohhr khdqhhgvrhgvthhitghsrdgtohhmqeenucfkphepuddtkedrvddvuddrudektddrudehne curfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvght ihgtshdrtghomhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:r0KbXfVbQ0YNJDm9us97af03nz1AbSStdxKtJJnvmWKwRXT27aekcA> <xmx:r0KbXRrq8VFk3c45OrSY7T3M8Ixqu9MqiddbpGz6Y2535N3ooonRLg> <xmx:r0KbXeRhyehqW4bCCSW_X4QWQT5-iXAJ99RqjHkSjSlgp_PwiPTkQg> <xmx:sEKbXbj72LkQBfVd3-kNkvMCP5uhI9akkBhuvRq1LEHd14LjdkaQuQ>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 8D2B5D6005F; Mon, 7 Oct 2019 09:50:39 -0400 (EDT)
To: ietf-smtp@ietf.org
References: <20191007134613.5AF10BB4C8E@ary.qy>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <948b775a-8191-8ab9-af09-28e89f7fc33b@network-heretics.com>
Date: Mon, 07 Oct 2019 09:50:38 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <20191007134613.5AF10BB4C8E@ary.qy>
Content-Type: multipart/alternative; boundary="------------5C9A00776033C3BD5E856025"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/55LEwQRhZ9xiK13Fama5UjEjiz4>
Subject: Re: [ietf-smtp] why are we reinventing mta-sts ?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 13:50:43 -0000

On 10/7/19 9:46 AM, John Levine wrote:

>> And depending on DNSSEC probably does impair the ability of this to be
>> deployed.   But if DoT can be used instead of DNSSEC, it seems to me
>> that this might be easier to deploy than MTA-STS.
> But DoT and DNSSEC are unrelated.  DNSSEC promises that the data you
> got are the ones that the authoritative servers published, even though
> someone might have snooped on the way.  DoT promises that nobody
> snooped and the data you got are the ones that the resolver, which may
> be lying, sent.

Clearly you can't trust the resolver.  But an answer to a DoT query to 
an authoritative server seems like it would be sufficient, provided 
there's assurance that the server really is authoritative.

Keith

v2.23.0 | Report a Bug | By Email