Re: [ietf-smtp] How to encrypt SMTP?
Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 26 October 2019 21:05 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7397912003E for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 14:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gH5oCHfSI2gy for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 14:05:04 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4DAE120033 for <ietf-smtp@ietf.org>; Sat, 26 Oct 2019 14:05:03 -0700 (PDT)
Received: from [10.0.9.218] (ipbcc01010.dynamic.kabel-deutschland.de [188.192.16.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 8E43F2C3C1F for <ietf-smtp@ietf.org>; Sat, 26 Oct 2019 17:05:02 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <de6d60415a2e3c9e3ab95690ca71b4e7cae94cf2.camel@aegee.org>
Date: Sat, 26 Oct 2019 23:04:59 +0200
Content-Transfer-Encoding: quoted-printable
Reply-To: ietf-smtp@ietf.org
Message-Id: <DA6C74A3-0D48-4D73-AE06-20378A5CFE54@dukhovni.org>
References: <1420291b5ffe6b65da9bd8e933648b6029dd4c94.camel@aegee.org> <8B777B0F-6CA9-4683-92BD-2882C62A7D36@dukhovni.org> <de6d60415a2e3c9e3ab95690ca71b4e7cae94cf2.camel@aegee.org>
To: ietf-smtp@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/ST9jct9l2v53SgQ5hr7FuShsqJ8>
Subject: Re: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Oct 2019 21:05:07 -0000
> On Oct 26, 2019, at 3:33 PM, Дилян Палаузов <dilyan.palauzov@aegee.org> wrote: > > Why is it common for https-providers to offer both RSA and EC certificates, but it is not common for IMAP or SMTP > providers to offer EC certificates? I mean, if EC offers less calculations without sacrificing security, why nobody > makes use of this? MTAs are difficult enough to operate without the extra complexity of managing certs for multiple algorithms. For mostly opportunistic TLS, there's not much incentive to jump through complex TLS hoops. >> DANE (~3 years earlier) specifies at least TLS 1.0 and SHOULD TLS 1.2: >> >> https://tools.ietf.org/html/rfc7671#section-3 >> >> The Postfix TLS implementation does not allow enable ciphers >> when TLS is mandatory, and these are rapidly disappearing >> entirely from TLS stacks. >> > > I do not get the last paragraph. I fumbled the original response, sorry about that. You asked: > What happens to MTAs, that are so smart to understand MTA-STS or DANE, > but offer only weak ciphers? I meant to say that Postfix disables weak ciphers when TLS is mandatory, (e.g. when DANE or MTA-STS is used). So anyone configuring DANE or MTA-STS needs to implement the MTI TLS 1.2 ciphers and generally most of the reasonably strong alternatives. -- Viktor.
- [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] How to encrypt SMTP? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Hector Santos
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] How to encrypt SMTP? Jeremy Harris
- Re: [ietf-smtp] How to encrypt SMTP? John R Levine
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] encouraging PRDR (was: How to enc… Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni