IETF Logo Mail Archive

Re: [ietf-smtp] why are we reinventing mta-sts ?

Дилян Палаузов <dilyan.palauzov@aegee.org> Mon, 07 October 2019 15:39 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CDA01208A4 for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 08:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AaFIa6hdvmPF for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 08:39:15 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68A6C120901 for <ietf-smtp@ietf.org>; Mon, 7 Oct 2019 08:39:15 -0700 (PDT)
Authentication-Results: mail.aegee.org/x97Fd8Vb011682; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1570462749; i=dkim+MSA-tls@aegee.org; r=y; bh=ee6k43DuYdupGgTjjlN1sGBtnCM6ZTDGzAwRZUxIAY0=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=TScBIe80p7EAXYAxqubMRQpTAHTwWZwrIGiRffa2cfaSmuYOHxQBNe2Jx2oSnTeKi eaxAb02lb8KTOGS7qbv1CibyNkE4MvEzGKjh3JhuG8Gp1DuJ/Bx4uufQH4I0oZil5l g9HXNPivg4h1JxyQQsvk6Pu+KC8yfT3ef98pEmhKm6xpL1Rru8N0QTCeNPhMCFtOxO jb0hk8X0n/+BKyqHjIf9p8Ywv9QAchcPMC8g+/wE4sUup+q0kVjFmVd2F7n6rK+FMd gUWjW5/gwjm306MHADD7tGrTQUYVUi9QCpM948PVsXrW9TCKDj77wnBZJwVTQW3fnR /yPLnb24tnBofEOWicge23au2HuDncsFnp/NiJAHn51xEidn2XZAHAhhL9Cy6jsdJH KROJqv46HuVlpTRldSpcEXhPqyg+PNuWcYHXEKYYPrBSoqW5wTg0No8F7rFgHbg1Ff bjemHR1VVDWLmMqvfPbUHRYWaxqUzrv9Vd4brRU3Ew+dmvbHajjJ0XwSa78rDbyup7 rmEL8N2pFglYUfippxCECCtQ0LWuAuOO4HxfFsYeur9c6kF6G22E89xgPT8xTAUyY/ hQv4lcCvCczaFbtnbdnrZPi8QgOfPijefU6JUVAy6fN7iZZq6vvF3e+Pqh2olGbX9g bQO5nVwNalMWoUmdolr0ajpY=
Authentication-Results: mail.aegee.org/x97Fd8Vb011682; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg [87.118.146.153]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x97Fd8Vb011682 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Mon, 7 Oct 2019 15:39:09 GMT
Message-ID: <b0dae4ca6e95dc83ca70f71ad780a1432273bcf5.camel@aegee.org>
From: Дилян Палаузов <dilyan.palauzov@aegee.org>
To: Viruthagiri Thirumavalavan <giri@dombox.org>, Daniel Margolis <dmargolis=40google.com@dmarc.ietf.org>
Cc: SMTP Discuss <ietf-smtp@ietf.org>
Date: Mon, 07 Oct 2019 15:39:08 +0000
In-Reply-To: <CAOEezJTH4Jukz2J4jSDfixECg2Jyyk4+cDnasiAoa4Q2F9=ZZw@mail.gmail.com>
References: <20191007002348.GA23742@x2.esmtp.org> <20191007015616.BE113BB3D68@ary.qy> <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com> <CAOEezJTH4Jukz2J4jSDfixECg2Jyyk4+cDnasiAoa4Q2F9=ZZw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.35.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.4 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/FtZdJhiCpYSn03eZIJe2pjmvwj8>
Subject: Re: [ietf-smtp] why are we reinventing mta-sts ?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 15:39:25 -0000

Hello,

On Mon, 2019-10-07 at 18:55 +0530, Viruthagiri Thirumavalavan wrote:
> (3) Not all end users have knowledge about how to configure an HTTPS server. This is the reason why most of them relying on third party mail hosting services like Gmail for hosting their mails. They can follow simple things like adding a DNS record. But configuring an HTTPS server is going to be a rocket science for them.   
> 

Much more people know how to configure an HTTPS server, than to configure a SMTP server (with STARTTLS).  So configuring
HTTPS is not an obstacle.  Since, soon or late a mail server operator will want to reject emails that fail DMARC
validation, the operator will have to learn DKIM.  Then set some custom email rules, AV/AS and so on.  Setting up HTTPS
(and a web-based mail client) looks trivial compared to the remaining pieces.

The HSTS (http strict transport security) preload list, https://hstspreload.org/, is knowledge in HTTP browsers, about
sites, which serve content explicitly over HTTPS.  Browsers use the knowledge and do not contact the hosts under the
listed domains over pure HTTP.

Similar to it, there is a MTA-STS (smtp strict transport security) preload list: a set of hosts, which can serve SMTP
over TLS.  The list is hosted at https://starttls-everywhere.org/ .  This list functions just like HSTS preload list,
but for port 25.

Talking about SMTP and TLS is bi-fold.  There are incoming and outgoing connections.  Depending on the MTA, setting up a
MTA that applies DANE for outgoing connections can be done very easily, so in the context of outgoing connections,
utilizing DANE/DNSSEC can be easier than MTA-STS.

Installing the MTA-STS preload list on the own MTA, and using it for outgoing connections, can be easier than
configuring MTA-STS for outgoing connections.

Deploying/enforcing DANE for outgoing connections is equally hard compared to deploying MTA-STS for outgoing
connections, when the used MTA offers neither features.

To sum up, the options in the MTA are:
* for outgoing connections:
  - check MTA-STS (without necessary publishing own MTA-STS records)
  - check DANE (without having deployed DNSSEC for the own domain)
  - check the STARTTLS-everywhere preload list for the destination host
  - consider sending your own certificate during establishing the TLS tunnel (nearly nobody does this)

* for incoming connections:
  - publish MTA-STS records
  - publish DANE records, once DNSSEC is set up
  - add an entry in the MTA-STS preload list

* for both: speak TLS 1.3 .

What are the pros and cons of sending the certificate of the SMTP client to the SMTP server, during STARTTLS?

Regards
  Дилян

v2.23.0 | Report a Bug | By Email