IETF Logo Mail Archive

[ietf-smtp] How to encrypt SMTP?

Дилян Палаузов <dilyan.palauzov@aegee.org> Wed, 16 October 2019 17:43 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A240120956 for <ietf-smtp@ietfa.amsl.com>; Wed, 16 Oct 2019 10:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2eNXbxuJ5wu for <ietf-smtp@ietfa.amsl.com>; Wed, 16 Oct 2019 10:43:13 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1886120946 for <ietf-smtp@ietf.org>; Wed, 16 Oct 2019 10:43:12 -0700 (PDT)
Authentication-Results: mail.aegee.org/x9GHh7GW012428; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1571247790; i=dkim+MSA-tls@aegee.org; r=y; bh=Axyw2qMMLhIuK5ihlWt/bQiV1NJUQl88vQQqfmUsTn8=; h=Subject:From:To:Date; b=GQFCMN2ZhUyH2DUoYjt1VVf1Y+IVFYuFu0d2Z79LR60ZvUzyNZjjC1fVRAk83VY15 f1PQvGI7QT/9tpUZtqWwphNOTfzZlpuyDqYbJgeO+4tnbRfGTxosvohC8bOp5h5roE lTQVYY9WM2PSk4l9gy+xAudmwcegrtt/N/oQEm6Y1Pw4WkMh/rahQGEBR3jigK8GzT g8mVCuaTUamen8Bat0unLskI8/xhDAJGp8OkrS5ONIf7TWdUkDHGq4tQf1+H2gXFTZ 7VsSo0M5D0Ra1d34ofKLWhXkYhcca6R5HbbNFsUD8YaI/0F8Cb5uJ44ZWenyrGHSNd +HpIvDoPNQm9jqJJV20XlcYKzOIO0VSVaPPpo+DMiyhriqR/Txr9i3lGAffbR6mC8b 8DiYn5fUDhNYMbEdCgaP0X4zMDHi10jwXv7JgCDE2zvlc4XrlxxEZjzr6cALlnPy/s pMZsSGTnKSadRjbo+hHNmL5lndmrWtoIAHBUDG3rzgM2ubXCG+zJTpJgBd14K0gMVv 0xlxfyCqMApsYFRyEozjCvZl0yT6V2aFS9vNFZ8PcPTIwfY5Seby2uphjvj16NUZ4+ 7TI6o8r6BpVizeEjZPs5Mvu86ueeJb1ujf/d8D9JNY/3NwASCAxTuW0wjPbphZ10Ix 3lxMiI5p0BP0DDQUi2nU93BU=
Authentication-Results: mail.aegee.org/x9GHh7GW012428; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg [87.118.146.153]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x9GHh7GW012428 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <ietf-smtp@ietf.org>; Wed, 16 Oct 2019 17:43:10 GMT
Message-ID: <1420291b5ffe6b65da9bd8e933648b6029dd4c94.camel@aegee.org>
From: Дилян Палаузов <dilyan.palauzov@aegee.org>
To: ietf-smtp <ietf-smtp@ietf.org>
Date: Wed, 16 Oct 2019 17:43:07 +0000
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.35.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.4 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/JH5iC3loVipzMzXym-TaAgFwbNw>
Subject: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 17:43:24 -0000

Hello,

MTA-STS and DANE for SMTP answer the question when must be either encrypted, or the delivery postponed.

How shall it be encrypted?

Some sites (tools) present information, based on the provided protocols and ciphers, which browsers will work with a
HTTPS-webserver, and which not.  And one can decide, that accepting connections from IE 8 is not a priority.

But for SMTP there is nothing similar.  What matters is, if a weak cipher is disabled on a mailhost, which sites will
not be able to use STARTTLS with that host.  E.g. disabling TLS 1.0 (and SSL 3) will not allow anymore to encrypt
traffic with @gnu.org .

Some questions:

What happens to MTAs, that are so smart to understand MTA-STS or DANE, but offer only weak ciphers?

Does somebody offer both EC and RSA certificates on its smtp:25 server and had this ever caused problems?

Does somebody offer both EC and RSA certificates with DANE on its smtp:25 server and had this ever caused problems?

How much bits shall DH params have to support acceptable amount of mailhosts?  Do too big DH params break some clients?

What elliptic curves shall be offered, so that the communication works with acceptable amount of hosts?

>From which moment there shall be penalties, in terms of sticking to unencrypted traffic, for mailhosts offering only
weak encryption?  Will this happen chaotically, or any advices can be drafted?

Regards
  Дилян

v2.23.0 | Report a Bug | By Email