IETF Logo Mail Archive

Re: [ietf-smtp] why are we reinventing mta-sts ?

Viruthagiri Thirumavalavan <giri@dombox.org> Mon, 07 October 2019 13:25 UTC

Return-Path: <giri@dombox.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0BAA120096 for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 06:25:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dombox.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOm9kCEPbnay for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 06:25:49 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46FE712008F for <ietf-smtp@ietf.org>; Mon, 7 Oct 2019 06:25:49 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id 205so8686891pfw.2 for <ietf-smtp@ietf.org>; Mon, 07 Oct 2019 06:25:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dombox.org; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RnRjH7XokzFVwob79SDHU5lh1YT2KmkOw9RUd1naHqU=; b=lG8/f0T0cv3ckTMmzPg2oWyLxO956uBtcAYG1W8ct/E6hu1/3rXxB+GsuTJ8i5pA6x SfIuhZP9hv2uAE03ua8eHzCh3d6OaWgEGZorrOE4YhSBXhW9RU7dMGrYl/k3BwlAWrC0 G8pKtbd3JC8dG/ty1U3wJFcx4a+o9/DryJHemBW63jkUaTbBXeRde45DS4p/KHcZjtpm FhK4cR7MT5ivzioehOP72QyH32SME8GdtDXwXNivpWXLEn4/x7ORO5KtBK2tnHewN2Md NryXdEI/3jS2aGzRuTYuGBeWWh4n5qUqhMeCjFUwXJ6DY42ebaRW6tqGG+sbpPvjHcWY H/wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RnRjH7XokzFVwob79SDHU5lh1YT2KmkOw9RUd1naHqU=; b=XknSJV5ICjiKYIpzuVzdzkFBEYxLDaXsf63yTnKmzBJTWhGuCn03+nITc2icdWtGuH +VUFFYOz2HSsupj1CKwY39lYAtXJBrriM5haWCASD+DqFBEfTQFHUaubl/WXag1Tkpi0 jTvRDNCMnYin94KDibK0olSoIuYIwgWYnd9sfBKRhslq5+o9PsGueipkWbZS2WvqeqcB JIIii571zf4SunDqjwjWpCwPP4QKEaTMa4oG8QYiaDF2gQbJbQSshyC38ilBGQGAI+FJ ivCgMGTD3Q/IcDzgAbMW/Vq28kQUi+d5XpRkbvTxo8JEP+9wrZutVCZ8b3aoxGpw8T6U Yxlw==
X-Gm-Message-State: APjAAAWhQqrK/VDbmqppFi23YEuA0TAw8er6MCBtlAJb5GM01PbKu4lu aeK6X20JnqkcmugKhbpha6Fhv3xOQ1vAvs3gayjctg==
X-Google-Smtp-Source: APXvYqwCdqvMqmxPfEQBTHrK2ck9APAUp9DiSJgrXKzB6VXMDlknMG3L9GQsijPqtazEtMPOiNkCfuggPH01d6nth4Q=
X-Received: by 2002:a17:90a:33e7:: with SMTP id n94mr34380218pjb.15.1570454748262; Mon, 07 Oct 2019 06:25:48 -0700 (PDT)
MIME-Version: 1.0
References: <20191007002348.GA23742@x2.esmtp.org> <20191007015616.BE113BB3D68@ary.qy> <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com>
In-Reply-To: <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com>
From: Viruthagiri Thirumavalavan <giri@dombox.org>
Date: Mon, 07 Oct 2019 18:55:22 +0530
Message-ID: <CAOEezJTH4Jukz2J4jSDfixECg2Jyyk4+cDnasiAoa4Q2F9=ZZw@mail.gmail.com>
To: Daniel Margolis <dmargolis=40google.com@dmarc.ietf.org>
Cc: SMTP Discuss <ietf-smtp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006806d7059451fd78"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/BdraOgPx0wwUTVtsa93T2Gumz7k>
Subject: Re: [ietf-smtp] why are we reinventing mta-sts ?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 13:25:51 -0000

Hello Daniel,

I'm the original author of this prefix proposal. So I hope you don't mind
my input here.

If you have read my responses carefully, you might have noticed that I have
no issues with DNSSEC. In fact, I want DNSSEC to become popular.  The only
thing I don't like about DNSSEC is its complexity. Apart from that, I have
nothing against DNSSEC.

In the case of MTA-STS, I don't support it for the following reasons.

(1) End users have to spend money on buying SSL certificates, buying
hosting packages and then configuring those things.

(2) Even spending an extra $5/month is a big deal in developing countries.

(3) Not all end users have knowledge about how to configure an HTTPS
server. This is the reason why most of them relying on third party mail
hosting services like Gmail for hosting their mails. They can follow simple
things like adding a DNS record. But configuring an HTTPS server is going
to be a rocket science for them.

(4) Big companies like Google and Microsoft has millions of businesses in
their pocket to distribute the MTA-STS solution. So the end result will be
SMTP have to rely on HTTPS forever.

If you still need more reasons, this thread
<https://news.ycombinator.com/item?id=19628182>has some valid points.

On Mon, Oct 7, 2019 at 2:41 PM Daniel Margolis <dmargolis=
40google.com@dmarc.ietf.org> wrote:

> I've only quickly skimmed the original thread, but it seems like the
> argument is about this magic DNS prefix for MX records that would indicate
> "this MX should offer STARTTLS", right?
>
> As John says, the new proposal also requires DNSSEC, no? It seems like the
> primary difference is that the new proposal is simpler by indicating only
> that the server supports TLS, but not what identity it presents? Why is
> that desirable?
>
> On Mon, Oct 7, 2019 at 3:56 AM John Levine <johnl@taugh.com> wrote:
>
>> In article <20191007002348.GA23742@x2.esmtp.org> you write:
>> >> What's wrong with MTS-STS defined in RFC 8461?
>> >
>> >It requires an HTTPS server, thus adding an extra service and moving
>> >the "trust" problem to CAs (AFAICT).
>>
>> I was there when we were defining MTA-STS and the people involved,
>> who work for companies that probably handle the majority of all of
>> the mail in the world, did not want it to depend on DNSSEC for
>> deployment reasons.
>>
>> See sections 2 and 10 of RFC 8461.
>>
>> If you like DNSSEC, you can publish a DANE TLSA record for your SMTP
>> server, and systems like Comcast that pay attention to DNSSEC will use
>> it to check that you support TLS and have the right cert.
>>
>>
>>
>>
>>
>> _______________________________________________
>> ietf-smtp mailing list
>> ietf-smtp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ietf-smtp
>>
>
>
> --
> How's my emailing? http://go/dan-email-slo
> _______________________________________________
> ietf-smtp mailing list
> ietf-smtp@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-smtp
>


-- 
Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.

v2.23.0 | Report a Bug | By Email