Re: [ietf-smtp] why are we reinventing mta-sts ?
Viruthagiri Thirumavalavan <giri@dombox.org> Mon, 07 October 2019 17:25 UTC
Return-Path: <giri@dombox.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A64F81200B3 for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 10:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dombox.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwLb5l1K7NwN for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 10:25:47 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45D3112004F for <ietf-smtp@ietf.org>; Mon, 7 Oct 2019 10:25:47 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d22so7206819pls.0 for <ietf-smtp@ietf.org>; Mon, 07 Oct 2019 10:25:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dombox.org; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+Dfunxk3tGbFYSGiulnn3S0WBtcg6f4Tv/rwSy9oXFY=; b=R0nAMu5bQlg+wxI6MkW7tzFqq3TZOaZF8mX1nOL3s9NGNq27yG3wre9kp2ziCp/wbV S4jgQxIdnTMnxwuAM74EDztZIu+D7Y9vmOJd6+mnnnC1dvafv5JZOiQvpnAjPzNgsZGs 9Nuyfsr+bW0SXFBwtpkZ81MR4X7Gv83UsASZlrcsGDvCFHKyXWDqcc4EfZheK9G94ae6 8KmlhiKMo2NhURQWM3W27MqVQYNn7HLulN4TrXMsrHSWsvAt/u4oXtmRc9oWmBzTKmF9 WQGXvjTFHHiD1JgkxjNU67reehN2AOnynEUTbKDB3ZBicfbhwpgpd24Et3sq9NH5RPDM D1Yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+Dfunxk3tGbFYSGiulnn3S0WBtcg6f4Tv/rwSy9oXFY=; b=tNDEg7Mrm3i8PckrNAKDdDNtrxKfGwVx/09lhx8aq54F1cjDVOIn+adkDpoWfJwzgJ f0o4Wt87bDxOCw2K8lQeykBfEL1mwCQOdnlVIqfk83Vfla7FJPR5gVYIV3IwTDipkdOP rmieo+9T3eh9UTLqUXQcQIJzbfzX6o3ShlSLQjYAM2tvw4hBJ8AdXgarkVgouKv1Zt88 KcgseAAN40BY7xcbw4iW/pQQ8BokIfWlpyg5gsJbPe8skJLvE8Amu+P74UUs8AKSElvc FHOmaOKZjwHlSKsC95HZUbc7baHnShzDsOqGIyAN4wxlsFK9pY4LKmt0oXhnKUpOwDyn GXIA==
X-Gm-Message-State: APjAAAWKswjd8BzH3YmChCkSuk7c58l6V4zcOslcXrE6GVlD7e+2/Avd NMYQYAlJa1lJRyQceIn5UCc8Hs+rQ6iFUCNi9Oof8crevG8=
X-Google-Smtp-Source: APXvYqx9JJF5Hptm1hDXJkMGuyJJydZ05rfesbJeqRmSTe9egsrr/xJI4kQ7+/pO80i4TPQiwYimxP9USYRpmvrtMuk=
X-Received: by 2002:a17:902:fe0e:: with SMTP id g14mr31037999plj.285.1570469146505; Mon, 07 Oct 2019 10:25:46 -0700 (PDT)
MIME-Version: 1.0
References: <20191007002348.GA23742@x2.esmtp.org> <20191007015616.BE113BB3D68@ary.qy> <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com> <CAOEezJTH4Jukz2J4jSDfixECg2Jyyk4+cDnasiAoa4Q2F9=ZZw@mail.gmail.com> <b0dae4ca6e95dc83ca70f71ad780a1432273bcf5.camel@aegee.org>
In-Reply-To: <b0dae4ca6e95dc83ca70f71ad780a1432273bcf5.camel@aegee.org>
From: Viruthagiri Thirumavalavan <giri@dombox.org>
Date: Mon, 07 Oct 2019 22:55:19 +0530
Message-ID: <CAOEezJRXUZkPoJn_kV92q=OQoUs32VzTR5a0JeAKg6NYBW55=Q@mail.gmail.com>
To: Дилян Палаузов <dilyan.palauzov@aegee.org>
Cc: SMTP Discuss <ietf-smtp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009bcaea0594555787"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/XjKL6k5ynMXfg5Vz5xwDm_2ZldE>
Subject: Re: [ietf-smtp] why are we reinventing mta-sts ?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 17:25:50 -0000
> > Much more people know how to configure an HTTPS server, than to configure > a SMTP server (with STARTTLS). So configuring > HTTPS is not an obstacle. Since, soon or late a mail server operator will > want to reject emails that fail DMARC > validation, the operator will have to learn DKIM. Then set some custom > email rules, AV/AS and so on. Setting up HTTPS > (and a web-based mail client) looks trivial compared to the remaining > pieces. We both use a different demographic to define "end user" for MTA-STS. The way you see it, an end user is a "mail server operator". The way I see it, an end user is a "small business" who hosts their mails in a third party mail service like Gmail. Configuring an HTTPS server is not going to be easy for such small businesses. This comment <https://news.ycombinator.com/item?id=19629569> portrays that part more clearly. I'd like to be wrong, but with the nature of this standard, I don't expect > heavy adoption. If a person is deploying G Suite or Office 365 or similar, > they get asked to setup MX records, TXT for SPF, possibly DKIM and so on. > If I could create a record that says "use the policy Microsoft/Google > publish", it would be a no brainer. And it would take off because, much > like SPF, these groups can just add it to their onboarding checklist. > As soon as you say "deploy an end point on your domain", it falls in the > too hard basket for unimportant domains. Moreover, in a corporate situation > the people running mail have no involvement in web endpoints. For the mail > domains I professionally manage, that falls into the domain of another > department, and the people involved in running web endpoints are going to > say something like "if it was important, Wordpress would do it already for > us". On Mon, Oct 7, 2019 at 9:09 PM Дилян Палаузов <dilyan.palauzov@aegee.org> wrote: > Hello, > > On Mon, 2019-10-07 at 18:55 +0530, Viruthagiri Thirumavalavan wrote: > > (3) Not all end users have knowledge about how to configure an HTTPS > server. This is the reason why most of them relying on third party mail > hosting services like Gmail for hosting their mails. They can follow simple > things like adding a DNS record. But configuring an HTTPS server is going > to be a rocket science for them. > > > > Much more people know how to configure an HTTPS server, than to configure > a SMTP server (with STARTTLS). So configuring > HTTPS is not an obstacle. Since, soon or late a mail server operator will > want to reject emails that fail DMARC > validation, the operator will have to learn DKIM. Then set some custom > email rules, AV/AS and so on. Setting up HTTPS > (and a web-based mail client) looks trivial compared to the remaining > pieces. > > The HSTS (http strict transport security) preload list, > https://hstspreload.org/, is knowledge in HTTP browsers, about > sites, which serve content explicitly over HTTPS. Browsers use the > knowledge and do not contact the hosts under the > listed domains over pure HTTP. > > Similar to it, there is a MTA-STS (smtp strict transport security) preload > list: a set of hosts, which can serve SMTP > over TLS. The list is hosted at https://starttls-everywhere.org/ . This > list functions just like HSTS preload list, > but for port 25. > > Talking about SMTP and TLS is bi-fold. There are incoming and outgoing > connections. Depending on the MTA, setting up a > MTA that applies DANE for outgoing connections can be done very easily, so > in the context of outgoing connections, > utilizing DANE/DNSSEC can be easier than MTA-STS. > > Installing the MTA-STS preload list on the own MTA, and using it for > outgoing connections, can be easier than > configuring MTA-STS for outgoing connections. > > Deploying/enforcing DANE for outgoing connections is equally hard compared > to deploying MTA-STS for outgoing > connections, when the used MTA offers neither features. > > To sum up, the options in the MTA are: > * for outgoing connections: > - check MTA-STS (without necessary publishing own MTA-STS records) > - check DANE (without having deployed DNSSEC for the own domain) > - check the STARTTLS-everywhere preload list for the destination host > - consider sending your own certificate during establishing the TLS > tunnel (nearly nobody does this) > > * for incoming connections: > - publish MTA-STS records > - publish DANE records, once DNSSEC is set up > - add an entry in the MTA-STS preload list > > * for both: speak TLS 1.3 . > > What are the pros and cons of sending the certificate of the SMTP client > to the SMTP server, during STARTTLS? > > Regards > Дилян > > -- Best Regards, Viruthagiri Thirumavalavan Dombox, Inc.
- Re: [ietf-smtp] why are we reinventing mta-sts ? John R Levine
- Re: [ietf-smtp] why are we reinventing mta-sts ? Claus Assmann
- Re: [ietf-smtp] why are we reinventing mta-sts ? Keith Moore
- Re: [ietf-smtp] why are we reinventing mta-sts ? John Levine
- Re: [ietf-smtp] why are we reinventing mta-sts ? Daniel Margolis
- Re: [ietf-smtp] why are we reinventing mta-sts ? Keith Moore
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viruthagiri Thirumavalavan
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viruthagiri Thirumavalavan
- Re: [ietf-smtp] why are we reinventing mta-sts ? John Levine
- Re: [ietf-smtp] why are we reinventing mta-sts ? Keith Moore
- Re: [ietf-smtp] why are we reinventing mta-sts ? Дилян Палаузов
- Re: [ietf-smtp] why are we reinventing mta-sts ? John Levine
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viruthagiri Thirumavalavan
- Re: [ietf-smtp] why are we reinventing mta-sts ? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viruthagiri Thirumavalavan
- Re: [ietf-smtp] why are we reinventing mta-sts ? Keith Moore
- Re: [ietf-smtp] why are we reinventing mta-sts ? John R Levine
- Re: [ietf-smtp] why are we reinventing mta-sts ? Stan Kalisch
- Re: [ietf-smtp] why are we reinventing mta-sts ? Daniel Margolis
- Re: [ietf-smtp] why are we reinventing mta-sts ? Keith Moore
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viruthagiri Thirumavalavan
- Re: [ietf-smtp] why are we reinventing mta-sts ? Keith Moore
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viruthagiri Thirumavalavan
- Re: [ietf-smtp] why are we reinventing mta-sts ? Rich Kulawiec
- Re: [ietf-smtp] why are we reinventing mta-sts ? John Levine
- Re: [ietf-smtp] why are we reinventing mta-sts ? Tony Finch
- Re: [ietf-smtp] why are we reinventing mta-sts ? Keith Moore
- Re: [ietf-smtp] why are we reinventing mta-sts ? Tony Finch
- Re: [ietf-smtp] why are we reinventing mta-sts ? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viruthagiri Thirumavalavan
- Re: [ietf-smtp] MTA-STS scale (was: why are we re… Viktor Dukhovni
- Re: [ietf-smtp] why are we reinventing mta-sts ? Rich Kulawiec
- Re: [ietf-smtp] why are we reinventing mta-sts ? John Levine
- Re: [ietf-smtp] why are we reinventing mta-sts ? Hector Santos
- Re: [ietf-smtp] why are we reinventing mta-sts ? Viktor Dukhovni
- Re: [ietf-smtp] why are we reinventing mta-sts ? John Levine
- Re: [ietf-smtp] [OT] (signed TLDs) Viktor Dukhovni
- Re: [ietf-smtp] [OT] (signed TLDs) John Levine
- Re: [ietf-smtp] [OT] (signed TLDs) John Levine
- Re: [ietf-smtp] [OT] (signed TLDs) Viktor Dukhovni
- Re: [ietf-smtp] [OT] (signed TLDs) John Levine
- Re: [ietf-smtp] [OT] (signed TLDs) Viktor Dukhovni
- Re: [ietf-smtp] [OT] (signed TLDs) John Levine
- Re: [ietf-smtp] [OT] (signed TLDs) Viktor Dukhovni
- Re: [ietf-smtp] [OT] (signed TLDs) Tony Finch
- Re: [ietf-smtp] [OT] (signed TLDs) John R Levine
- Re: [ietf-smtp] [OT] (signed TLDs) Tony Finch
- Re: [ietf-smtp] [OT] (signed TLDs) Hector Santos
- Re: [ietf-smtp] [OT] (signed TLDs) Arnt Gulbrandsen
- Re: [ietf-smtp] [OT] (signed TLDs) Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] [OT] (signed TLDs) Hector Santos
- Re: [ietf-smtp] [OT] (signed TLDs) Keith Moore
- Re: [ietf-smtp] [OT] (signed TLDs) John Levine
- Re: [ietf-smtp] [OT] (signed TLDs) Mark Andrews
- Re: [ietf-smtp] [OT] (signed TLDs) Viktor Dukhovni
- Re: [ietf-smtp] [OT] (signed TLDs) Hector Santos
- [ietf-smtp] HTTPS degrading (was: [OT] (signed TL… Keith Moore
- Re: [ietf-smtp] [OT] (signed TLDs) Tony Finch
- Re: [ietf-smtp] HTTPS degrading Hector Santos