IETF Logo Mail Archive

Re: [ietf-smtp] SMTP client certs

"John Levine" <johnl@taugh.com> Wed, 01 January 2020 18:34 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2102E1200C4 for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 10:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=QfZCnVRQ; dkim=pass (1536-bit key) header.d=taugh.com header.b=b3PHnAZ/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5GoN0Moq7EMU for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 10:34:30 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE4E120099 for <ietf-smtp@ietf.org>; Wed, 1 Jan 2020 10:34:30 -0800 (PST)
Received: (qmail 76915 invoked from network); 1 Jan 2020 18:34:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=12c6f.5e0ce635.k2001; i=printer-iecc.com@submit.iecc.com; bh=7x/4t5jpvOC6y3ijy3M6y3RA0H5o2sMTL/eNadPvi2o=; b=QfZCnVRQ9vK2+15QQ+k14aizjc8SNa1Pr44s69Ub8nQJUgGjnC0UrjNvCCe3ISVMOIYDnX2+zliBsy8Sc16U+EY4GOVCKXgYnpplOpl6p3sW9y0StKKR/5TiZDEfOKnVaUCklLcr2/T7iJbFS06w2oUeTwAikvCvmuo4BuVPchROmkRsWN1f8Xhc8A3gdKeh889os4NlHQcqbI85BoiE6z91oxCtudl3kp5grWD5DJ+ZrR/WmvRxWicX1WchFiML
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=12c6f.5e0ce635.k2001; olt=printer-iecc.com@submit.iecc.com; bh=7x/4t5jpvOC6y3ijy3M6y3RA0H5o2sMTL/eNadPvi2o=; b=b3PHnAZ/GcvkBJgR1ZVWFQw0mSiVMcxIzLPf82iEy2P1WX2O0CySHAAqJUSh0atYmY0ZHEsos5xIa6PfgzjKgqknWUr10o7O5E+/ZHw+MNZyEqQyNJUMKv9Gm0mQSZ1nw0VwEmQFFMdYxv/4aXQRFZ1dJkpI/HjA1tRW13P4L7y7bmh6bOo2WjQX86LulgZD2Hf/xFnvifY66QXAsrVyCo/U2B9ag5q2+GkJWAPSVRNpaIM4WkcLbhwqP2r1+6Tl
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, printer@iecc.com) via TCP6; 01 Jan 2020 18:34:28 -0000
Received: by ary.qy (Postfix, from userid 501) id 7E2AE11E2E2C; Wed, 1 Jan 2020 13:34:27 -0500 (EST)
Date: Wed, 01 Jan 2020 13:34:27 -0500
Message-Id: <20200101183428.7E2AE11E2E2C@ary.qy>
From: John Levine <johnl@taugh.com>
To: ietf-smtp@ietf.org
Cc: moore@network-heretics.com
In-Reply-To: <8820eca1-c17d-0821-5fe4-8a46c22a3e7b@network-heretics.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/Doy5K06zy30hJsO1Z7RYoj3JqHI>
Subject: Re: [ietf-smtp] SMTP client certs
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jan 2020 18:34:33 -0000

In article <8820eca1-c17d-0821-5fe4-8a46c22a3e7b@network-heretics.com> you write:
>Agreed that client certs can be useful for mail submission 
>authentication.   But I was wondering about the feasibility of migrating 
>to use of client certificates for relay to mail exchangers, i.e. across 
>administrative mail domain boundaries.

I don't see what problem it would solve.

The only path authentication that MTAs do now is SPF, which most
people agree is pretty lousy, and in the other direction IP based
DNSBLs.

Most certs are signed by Let's Encrypt, who promise little more than
that the entity presenting the cert is the same one that presented the
signing request.  That doesn't impress me as any better than using an
IP address.

Whitelisting mail by source on the assumption that you can identify
sources that send good mail is a Well Known Bad Idea.  Any source big
enough to be worth whitelisting is big enough to have accounts that
get compromised and users infected by malware, so legit mail sources
all send some spam, too.

Apropos whitelisting, I can tell you long tedious stories about all
the people who insisted that Spamhaus needed to publish a whitelist.
When we did, we found that nobody who qualified cared if they were
whitelisted, and nobody who wanted to be listed met the criteria.

R's,
John

v2.23.0 | Report a Bug | By Email