IETF Logo Mail Archive

Re: [ietf-smtp] Possible cont4ibution to moving forward with RFC5321bis SMTP

Keith Moore <moore@network-heretics.com> Fri, 27 December 2019 00:30 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43488120086 for <ietf-smtp@ietfa.amsl.com>; Thu, 26 Dec 2019 16:30:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ohWXriRWCVlu for <ietf-smtp@ietfa.amsl.com>; Thu, 26 Dec 2019 16:29:58 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16BF112004E for <ietf-smtp@ietf.org>; Thu, 26 Dec 2019 16:29:58 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 5BA2784F; Thu, 26 Dec 2019 19:29:57 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Thu, 26 Dec 2019 19:29:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=4wK1N2 FIe7Wn38lnkqrY0InZKWCCkJOfi34jYj9El4w=; b=VslQiRSBpzhIi6cU7XZ0av jYtbpPXH7haMf4KOYCHbbHhuuglD/2E8/oVSXa/QWIMxqTphRr5ocoR81gcP1uKW QrZLS5zs/+cBv/u/caQdpxEY0WqjfR2UH9oiQiWtIBs4hpMlS3Laf3QrAYBdgq45 vE/aOvtmVgQqkxO/DDd/4lptbbdNKqBGlaG2wNCv1rMwjfFTxfcwiRXBN8MgJhWj MZSFKu9OKbmSz+hNk3oiSqN0vkBAX0EzXZz30lSE9+whEo5U5iXZyvOcHkiTWEoX XDqUStVSBXBsBCaTdmQcKEB0nRbVcVsfYq73TycLi7GMjYSbPSfxrVlA3tJnrLyg ==
X-ME-Sender: <xms:hFAFXtPvb7atnpzlYGwLjpSXk221WtUPY_lyVNGEgcMi_NPKUX4zJw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvddvjedgvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgesrgdtre ertdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecukfhppedutdekrddvvddurddukedtrdduhe enucfrrghrrghmpehmrghilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgv thhitghsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:hFAFXsYvNDMhHkc_0TqluxJhsUY3CMb1bsR0R0vJrXltOHvE0-ihQw> <xmx:hFAFXjiGinmBXkuv9tdA8OIv2NU2J8Is-75A1BWxKBgq5cKc6dPlMA> <xmx:hFAFXgOShj2EbbKcKqQ8G8-_KhL3X3HBg0htSMOKcsA2Blt7b45eSg> <xmx:hVAFXv4icElp-QuuLM97svgTAoXgYGeLQFRLlIvowpy6flUxRDubQw>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 8364C306080E; Thu, 26 Dec 2019 19:29:56 -0500 (EST)
To: ietf-smtp@ietf.org
References: <FCDE38AEA7DDB9BB0FB206F9@PSB> <0cbf23be-dbfc-f78f-8e63-d92d6e34fbf0@network-heretics.com> <37C195CAA3295DE832711B38@PSB> <434a885c-3709-b90b-40cd-4c45ba339666@network-heretics.com> <64DEBBA8-FEBC-499B-80A0-EF49A2210BB2@dukhovni.org>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <dfa17007-a637-88d8-339c-a6225b1648c5@network-heretics.com>
Date: Thu, 26 Dec 2019 19:29:53 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <64DEBBA8-FEBC-499B-80A0-EF49A2210BB2@dukhovni.org>
Content-Type: multipart/alternative; boundary="------------B5FCF2DEE60F3186BE21372D"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/LUd7YxiqPmBXuHqbKkaA2o7Sy5s>
Subject: Re: [ietf-smtp] Possible cont4ibution to moving forward with RFC5321bis SMTP
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 00:30:00 -0000

On 12/26/19 5:37 PM, Viktor Dukhovni wrote:

>> To me it seems that all of this should be out-of-scope for 5321bis, or that the only mention of this in 5321bis should be to declare such things out-of-scope.   Requiring hop-by-hop encryption would be the most disruptive change in the history of SMTP, I think, far more so than EHLO.
> It may well be too soon to*mandate*  TLS, but we could perhaps MUST a RECOMMENDED or a SHOULD for inter-domain relay of email.

I'd support a carefully-worded recommendation to use TLS when relaying, 
as long as it didn't (yet) recommend blocking mail based on absence of 
TLS and (probably) cautioned against doing so outside of some narrow 
corner cases.

I suspect that there are a lot of devices out there sending cleartext 
mail, that probably can't be upgraded for the useful lifetime of the 
device.  And using TLS to send mail from a device, actually makes the 
device more fragile because it implies a need to upgrade the CAs that 
the device trusts.

(I do also wonder how many existing SMTP servers can handle TLS with 
client certificates, because that seems like that would also be a 
recommendation worth considering.)

Keith

v2.23.0 | Report a Bug | By Email