Re: [ietf-smtp] starttls-everywhere
Phil Pennock <ietf-smtp-phil@spodhuis.org> Sun, 31 March 2019 19:17 UTC
Return-Path: <ietf-smtp-phil@spodhuis.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F76B120021 for <ietf-smtp@ietfa.amsl.com>; Sun, 31 Mar 2019 12:17:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spodhuis.org header.b=XNhoY9y/; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=spodhuis.org header.b=ROFCmowi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTNn9YBV-7jD for <ietf-smtp@ietfa.amsl.com>; Sun, 31 Mar 2019 12:17:00 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71F13120003 for <ietf-smtp@ietf.org>; Sun, 31 Mar 2019 12:17:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201902; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nZEnSj6vWNspvic/Kn6lvzTSFr8hgp+wKIMUu3TmUDY=; b=XNhoY9y/5Ot43+PNNkMEfmlDYA 0F782r0pVN16Z6k5kmpRUpraVbZtGjrH2SNa4AOUpsboJ9jRLi4P1X+eZxqD+4ct1ddHgUwcSUcRU It+M6iA5lVJ/EDz2porpR4GoV55/hgQ9oauTi77uIatnQaRNNmTYJEgzOSUcikux9yWYpw0RgyMp1 skjUDv13q9fVlL96XSsIzhjFZgfJ3WxotpU80F6gOO+z9VNAiqEFQoA8lb19QmnAe0vJ8SP8Xd3Nm bwcmNBF0SX3ViKf5xS8CCjvF2IG0yn5Nhe0PWnCYB7YNxcGnIpbNxXaNUCRJE2rwAFV/dGcbW7DKY r7Hc+U0w==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201902e2; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nZEnSj6vWNspvic/Kn6lvzTSFr8hgp+wKIMUu3TmUDY=; b=ROFCmowiLkefJK9ns7rAibC61 sAiTzz+uTZxAaZXEdjzRYbAdlo4XI+/9pNfRu48bqJu1CUrGVbxeaAER3IjAg==;
Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1hAfwu-0002Ei-FZ; Sun, 31 Mar 2019 19:16:56 +0000
Date: Sun, 31 Mar 2019 15:16:53 -0400
From: Phil Pennock <ietf-smtp-phil@spodhuis.org>
To: keld@keldix.com
Cc: Jeremy Harris <jgh@wizmail.org>, ietf-smtp@ietf.org
Message-ID: <20190331191653.GA5690@osmium.pennocktech.home.arpa>
Mail-Followup-To: keld@keldix.com, Jeremy Harris <jgh@wizmail.org>, ietf-smtp@ietf.org
References: <74074d25-26b0-e597-c05d-62b6b5902a7c@wizmail.org> <20190331113321.GA13658@www5.open-std.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190331113321.GA13658@www5.open-std.org>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/0x4D1E900E14C1CC04.asc
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/BZgqjFB99pbc6U8rrL_dUCRQYTQ>
Subject: Re: [ietf-smtp] starttls-everywhere
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2019 19:17:02 -0000
On 2019-03-31 at 13:33 +0200, keld@keldix.com wrote: > is it no the best way to do itnow > > something like 95 % of my connections nowadays are tls, but most of > the connections are with certificates that do no validate. > temporary and the like. > > would going to enforcing not invalidate all these connections? > and the fallback to non-encrypted smtp? shooting yourself in the foot... No: the point of the STARTTLS-Everywhere system is that, like both DANE and MTA-STS, the sender does _not_ fall back to unencrypted SMTP. Except in Testing mode. Which is what Jeremy is explicitly asking about: moving from "hint, but can still fall back" to "enforce, with no fall back". -Phil
- [ietf-smtp] starttls-everywhere Jeremy Harris
- Re: [ietf-smtp] starttls-everywhere keld
- Re: [ietf-smtp] starttls-everywhere Phil Pennock
- Re: [ietf-smtp] starttls-everywhere keld
- Re: [ietf-smtp] starttls-everywhere Phil Pennock
- Re: [ietf-smtp] starttls-everywhere Hector Santos