IETF Logo Mail Archive

Re: [ietf-smtp] How to encrypt SMTP?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 27 October 2019 08:09 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63DBE120110 for <ietf-smtp@ietfa.amsl.com>; Sun, 27 Oct 2019 01:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EoxYoZ_P71kH for <ietf-smtp@ietfa.amsl.com>; Sun, 27 Oct 2019 01:09:41 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B55A712010F for <ietf-smtp@ietf.org>; Sun, 27 Oct 2019 01:09:41 -0700 (PDT)
Received: from [10.105.159.102] (unknown [88.128.80.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 435F62C3E9E for <ietf-smtp@ietf.org>; Sun, 27 Oct 2019 04:09:40 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <3bd69a26-1587-1ac9-0cec-c91ba2ac94a2@network-heretics.com>
Date: Sun, 27 Oct 2019 09:09:38 +0100
Content-Transfer-Encoding: quoted-printable
Reply-To: ietf-smtp@ietf.org
Message-Id: <3BB87806-0EEC-47EF-B30F-50029DC2D79F@dukhovni.org>
References: <20191027011742.5E6BAD74D2F@ary.qy> <3bd69a26-1587-1ac9-0cec-c91ba2ac94a2@network-heretics.com>
To: ietf-smtp@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/NBlItSmtQ65egjcW9tI3tXvgNM4>
Subject: Re: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Oct 2019 08:09:43 -0000

> On Oct 27, 2019, at 2:24 AM, Keith Moore <moore@network-heretics.com> wrote:
> 
>> I gather that the number of ways that middleboxes can screw up the DNS
>> is far greater than we can imagine.  And getting people to fix it is not
>> easy since "the box works fine" and DNS works fine, too.
> 
> Ah yes, interesting point.   And users do have strange ideas as to what "works fine".
> 
> What's the half-life of a broken middlebox?   I'm guessing about 10 years.

The middlebox breakage affects mobile users in hotels, airports, home
networks, ...  It has little to no effect on MTAs in data-centres.
MTA-to-MTA DNSSEC does not face any meaningful middle-box barriers.

There are (today) ~1.35 million DNSSEC-signed domains with DNSSEC-signed MX
hosts that have DANE TLSA records.

The only issue is that some hosting providers with very old broken DNSSEC
authoritative servers don't return valid denial of existence for MX-host
TLSA records.  This affects ~800 out of 10 million signed domains.  None
are significant sources or sinks of email.

Bottom line, sign-away, you'll not have any issues, unless your domain
is hosted by a small number of small (mostly Dutch) providers.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email