Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 01 January 2020 19:01 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CAD31200D7 for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 11:01:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eA-8WgYxrf9E for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 11:01:34 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F66A120099 for <ietf-smtp@ietf.org>; Wed, 1 Jan 2020 11:01:34 -0800 (PST)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id CA5C52A7B31 for <ietf-smtp@ietf.org>; Wed, 1 Jan 2020 14:01:33 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <994e7a23-9e80-4751-6067-8863ad0ee72f@network-heretics.com>
Date: Wed, 01 Jan 2020 14:01:33 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: ietf-smtp@ietf.org
Message-Id: <CF9346F4-3B98-42B6-8DAB-3CCF932AAC11@dukhovni.org>
References: <20200101175510.8549A11E2905@ary.qy> <D441E0BE-1F32-4329-9296-A5026540E8D0@dukhovni.org> <994e7a23-9e80-4751-6067-8863ad0ee72f@network-heretics.com>
To: ietf-smtp@ietf.org
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/6n7ylvrRdrXuRs8FbsZGtr-I2t0>
Subject: Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jan 2020 19:01:37 -0000
> On Jan 1, 2020, at 1:27 PM, Keith Moore <moore@network-heretics.com> wrote: > > FWIW, Let's Encrypt doesn't currently issue client certificates. Actually, it does, for example: Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: Oct 24 07:01:29 2019 GMT Not After : Jan 22 07:01:29 2020 GMT Subject: CN = box.ezemailserver.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication The EKU lists both TLS server and TLS client roles. > And since this would be entirely new practice, it would at least be possible to require Organization Validation or Extended Validation certificates as a condition of accepting mail, or more likely, as a condition of not pessimizing mail... and/or set up email-specific CAs for the purpose of authenticating SMTP clients. That's a non-starter. I am not going to pay for EV certs (a dead-end idea that failed and is going away). There's no scalable mechanism for a third party to whitelist the good guys. The only thing that can work is for ISPs to list CIDR blocks that are authorised SMTP relays. A decade and a half ago, there was: https://www.ietf.org/archive/id/draft-crocker-csv-csa-00.txt [ which would IMHO need to be simplified, probably too much baggage in an effort to reconcile CSV vs. CSA, ... ] that I was sure stood a much better chance of addressing spam from botnets and the like than SPF, Sender-ID, DKIM, ... which only touch on the much narrower issue of "From" forgery in phishing. [ And don't really solve that either, since naïve users still fall for phishing email that doesn't bother to forge the message origin. ] But for various reasons addressing "phishing" got more attention. Client certs from a CA cannot address botnet spam, but explicit records in DNS from a domain that stands behind the client's role as an outbound MTA can help, modulo the same $5/domain that means that makes disposable domains attractive to the spammer. Which means we'd need technology to blacklist the rogue domains very quickly (before the spammer earns $5 in revenue by abusing it). > I don't claim that it's simple to make this work - the devil is, as always, in > the details. I don't think there is a magic bullet. But I do see client cert > authentication of SMTP-over-TLS as another potential tool in the toolbox. I think they could be useful forensically, and even potentially to show a user that email arrived along an expected "trusted path", but not for screening out unauthorised senders. That is sadly not possible. -- Viktor.
- [ietf-smtp] Possible cont4ibution to moving forwa… John C Klensin
- Re: [ietf-smtp] Possible cont4ibution to moving f… Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… John C Klensin
- Re: [ietf-smtp] Possible cont4ibution to moving f… John C Klensin
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Viktor Dukhovni
- Re: [ietf-smtp] Possible cont4ibution to moving f… Viktor Dukhovni
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… John C Klensin
- Re: [ietf-smtp] Possible cont4ibution to moving f… Viktor Dukhovni
- Re: [ietf-smtp] Possible cont4ibution to moving f… Jeremy Harris
- Re: [ietf-smtp] Possible cont4ibution to moving f… Alessandro Vesely
- Re: [ietf-smtp] Possible contiibution to moving f… John C Klensin
- Re: [ietf-smtp] Possible contiibution to moving f… Viktor Dukhovni
- Re: [ietf-smtp] Possible contiibution to moving f… John C Klensin
- Re: [ietf-smtp] Possible contribution to moving f… Viktor Dukhovni
- Re: [ietf-smtp] Possible contribution to moving f… John C Klensin
- Re: [ietf-smtp] Possible contribution to moving f… S Moonesamy
- Re: [ietf-smtp] Possible cont4ibution to moving f… Barry Leiba
- Re: [ietf-smtp] Possible cont4ibution to moving f… Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… John Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… John Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… John R Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… Laura Atkins
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Laura Atkins
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Laura Atkins
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals John Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… Hector Santos
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals Dave Crocker
- [ietf-smtp] It's not about IP-Literals, its about… Hector Santos
- Re: [ietf-smtp] Endless debate on IP literals John C Klensin
- Re: [ietf-smtp] Endless debate on IP literals John R Levine
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… Jeremy Harris
- Re: [ietf-smtp] Endless debate on IP literals John R Levine
- Re: [ietf-smtp] Endless debate on IP literals Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals John R Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… John Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible contribution to moving f… Viktor Dukhovni
- Re: [ietf-smtp] Possible contribution to moving f… Keith Moore
- Re: [ietf-smtp] SMTP client certs John Levine
- Re: [ietf-smtp] Endless debate on IP literals John Levine
- Re: [ietf-smtp] Possible contribution to moving f… Richard Clayton
- Re: [ietf-smtp] Possible contribution to moving f… John Levine
- Re: [ietf-smtp] Possible contribution to moving f… Viktor Dukhovni
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Possible contribution to moving f… Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals John R Levine
- Re: [ietf-smtp] Endless debate on IP literals Viktor Dukhovni
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals John Levine
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Possible contribution to moving f… Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals John Levine
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals Viktor Dukhovni
- Re: [ietf-smtp] Endless debate on IP literals Alessandro Vesely
- Re: [ietf-smtp] Possible contribution to moving f… Hector Santos
- Re: [ietf-smtp] Possible contribution to moving f… Hector Santos
- Re: [ietf-smtp] Endless debate on IP literals Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… Hector Santos
- Re: [ietf-smtp] Endless debate on IP literals Hector Santos
- Re: [ietf-smtp] Endless debate on IP literals John R Levine
- Re: [ietf-smtp] Possible contribution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Hector Santos
- Re: [ietf-smtp] Possible cont4ibution to moving f… Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Dave Crocker
- Re: [ietf-smtp] Possible contribution to moving f… John C Klensin
- Re: [ietf-smtp] Possible contribution to moving f… Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… Arnt Gulbrandsen
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Possible contribution to moving f… Keith Moore
- Re: [ietf-smtp] Possible contribution to moving f… Dave Crocker
- Re: [ietf-smtp] Possible contribution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Dave Crocker
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Possible contribution to moving f… John C Klensin
- Re: [ietf-smtp] Possible contribution to moving f… Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… John Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… John Levine
- Re: [ietf-smtp] Possible contribution to moving f… Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Ned Freed
- Re: [ietf-smtp] Possible cont4ibution to moving f… Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Ned Freed
- Re: [ietf-smtp] Endless debate on IP literals Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- [ietf-smtp] lounging around Dave Crocker
- Re: [ietf-smtp] Endless debate on IP literals Keith Moore
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] Endless debate on IP literals John R Levine
- Re: [ietf-smtp] Possible cont4ibution to moving f… Keith Moore
- Re: [ietf-smtp] lounging around John Levine
- Re: [ietf-smtp] Endless debate on submission auth… John Levine
- Re: [ietf-smtp] lounging around John Levine
- Re: [ietf-smtp] lounging around Keith Moore
- Re: [ietf-smtp] lounging around Dave Crocker