IETF Logo Mail Archive

Re: [ietf-smtp] why are we reinventing mta-sts ?

Keith Moore <moore@network-heretics.com> Mon, 07 October 2019 12:36 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 518961200CD for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 05:36:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrNjP4BsVPKy for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 05:36:49 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D914F1200B1 for <ietf-smtp@ietf.org>; Mon, 7 Oct 2019 05:36:49 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 2966421C7A; Mon, 7 Oct 2019 08:36:49 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 07 Oct 2019 08:36:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=6Ni9vTmAh+3y+zuzzef6xteBhAEcrm7/xKppLjX9W l0=; b=d5TZ/ozM0Uu3iAwiZRQmfcUxxHrzHMM5aQu29oiiSY3di/DfGl4yRKCt7 8ZUMjLr+A1EFKJyFCbGseUnxtnj71HyrqbkzZpbcJ1yBuq8ntxDBv4IbSy3fk/fF yK1jDCB1TAYjr0dGSeWUnP3QQtZWN6XovfKYznDpHVVKwLqp0weHcGQvk8ERu6ap y/ysDZT1nk/ZbtizYcQySt8Rh+jMwpHCHVqaETSF36MbFmnsK7JTxEpVc6hZIitY mzmLIDeQGNXjJKSG5/jQbYtPn4Ze43L1CANRpzxQn2PxYNc11uJ2Og1V8VY3zzSY xZjz/4+tZqdOKBDPD9xPTiQlDuUmw==
X-ME-Sender: <xms:YDGbXfrHgL7_Q-lxNImgeai7IduvlKPjF8rWCvV86QOAD9gU3taVPg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrheejgdegtdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesthekre dttdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecukfhppedutdekrddvvddurddukedtrdduhe enucfrrghrrghmpehmrghilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgv thhitghsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:YDGbXd62HJgbbw_W7NDcoNm7jM2HUPJJ-zQBEzLPN1-cOVuVUQNsIw> <xmx:YDGbXXM92Go0ncEGcABdGtiBK6vdOxaCIxcVEdtwl6DLz--J_v8v3w> <xmx:YDGbXXOFSjT10TlxmjGADGWzP1Zhlwf7ZyWEJybCkYdQn9UVHndzKg> <xmx:YTGbXSD6goq40VZD__-1i4DWsTvBwURV2xCJAGnMEwzMwZPcqme6Zg>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 8BFBFD6005F; Mon, 7 Oct 2019 08:36:48 -0400 (EDT)
To: ietf-smtp@ietf.org
References: <20191007002348.GA23742@x2.esmtp.org> <20191007015616.BE113BB3D68@ary.qy> <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <249ffeeb-44eb-b180-52e1-866e755c5cc1@network-heretics.com>
Date: Mon, 07 Oct 2019 08:36:47 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/7WUQmz4BVhktmKDQJpwc5ntMV9I>
Subject: Re: [ietf-smtp] why are we reinventing mta-sts ?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 12:36:51 -0000

On 10/7/19 5:11 AM, Daniel Margolis wrote:

> I've only quickly skimmed the original thread, but it seems like the 
> argument is about this magic DNS prefix for MX records that would 
> indicate "this MX should offer STARTTLS", right?
>
> As John says, the new proposal also requires DNSSEC, no? It seems like 
> the primary difference is that the new proposal is simpler by 
> indicating only that the server supports TLS, but not what identity it 
> presents? Why is that desirable?

I didn't see this explicitly specified in the proposal, but IMO the 
server certificate should match the target of the MX record.

And depending on DNSSEC probably does impair the ability of this to be 
deployed.   But if DoT can be used instead of DNSSEC, it seems to me 
that this might be easier to deploy than MTA-STS.

Granted, MTA-STS exists already and enjoys some support.   A new 
proposal thus has a high bar to clear in order to be accepted as a 
standard.   But I don't think it's wrong to discuss other ideas.

Keith

v2.23.0 | Report a Bug | By Email