IETF Logo Mail Archive

Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 01 January 2020 19:01 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CAD31200D7 for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 11:01:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eA-8WgYxrf9E for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 11:01:34 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F66A120099 for <ietf-smtp@ietf.org>; Wed, 1 Jan 2020 11:01:34 -0800 (PST)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id CA5C52A7B31 for <ietf-smtp@ietf.org>; Wed, 1 Jan 2020 14:01:33 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <994e7a23-9e80-4751-6067-8863ad0ee72f@network-heretics.com>
Date: Wed, 01 Jan 2020 14:01:33 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: ietf-smtp@ietf.org
Message-Id: <CF9346F4-3B98-42B6-8DAB-3CCF932AAC11@dukhovni.org>
References: <20200101175510.8549A11E2905@ary.qy> <D441E0BE-1F32-4329-9296-A5026540E8D0@dukhovni.org> <994e7a23-9e80-4751-6067-8863ad0ee72f@network-heretics.com>
To: ietf-smtp@ietf.org
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/6n7ylvrRdrXuRs8FbsZGtr-I2t0>
Subject: Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jan 2020 19:01:37 -0000

> On Jan 1, 2020, at 1:27 PM, Keith Moore <moore@network-heretics.com> wrote:
> 
> FWIW, Let's Encrypt doesn't currently issue client certificates.

Actually, it does, for example:

        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Oct 24 07:01:29 2019 GMT
            Not After : Jan 22 07:01:29 2020 GMT
        Subject: CN = box.ezemailserver.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:  
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

The EKU lists both TLS server and TLS client roles.


> And since this would be entirely new practice, it would at least be possible to require Organization Validation or Extended Validation certificates as a condition of accepting mail, or more likely, as a condition of not pessimizing mail... and/or set up email-specific CAs for the purpose of authenticating SMTP clients.

That's a non-starter.  I am not going to pay for EV certs (a dead-end idea
that failed and is going away).  There's no scalable mechanism for a third
party to whitelist the good guys.  The only thing that can work is for ISPs
to list CIDR blocks that are authorised SMTP relays.

A decade and a half ago, there was:

   https://www.ietf.org/archive/id/draft-crocker-csv-csa-00.txt

   [ which would IMHO need to be simplified, probably too much baggage in an
     effort to reconcile CSV vs. CSA, ... ]

that I was sure stood a much better chance of addressing spam from botnets and
the like than SPF, Sender-ID, DKIM, ... which only touch on the much narrower
issue of "From" forgery in phishing. [ And don't really solve that either, since
naïve users still fall for phishing email that doesn't bother to forge the message
origin. ] But for various reasons addressing "phishing" got more attention.

Client certs from a CA cannot address botnet spam, but explicit records in DNS
from a domain that stands behind the client's role as an outbound MTA can help,
modulo the same $5/domain that means that makes disposable domains attractive
to the spammer.  Which means we'd need technology to blacklist the rogue domains
very quickly (before the spammer earns $5 in revenue by abusing it).

> I don't claim that it's simple to make this work - the devil is, as always, in
> the details.   I don't think there is a magic bullet.   But I do see client cert
> authentication of SMTP-over-TLS as another potential tool in the toolbox.

I think they could be useful forensically, and even potentially to show a user
that email arrived along an expected "trusted path", but not for screening out
unauthorised senders.  That is sadly not possible.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email