IETF Logo Mail Archive

Re: [ietf-smtp] why are we reinventing mta-sts ?

Viruthagiri Thirumavalavan <giri@dombox.org> Mon, 07 October 2019 17:25 UTC

Return-Path: <giri@dombox.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A64F81200B3 for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 10:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dombox.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwLb5l1K7NwN for <ietf-smtp@ietfa.amsl.com>; Mon, 7 Oct 2019 10:25:47 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45D3112004F for <ietf-smtp@ietf.org>; Mon, 7 Oct 2019 10:25:47 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d22so7206819pls.0 for <ietf-smtp@ietf.org>; Mon, 07 Oct 2019 10:25:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dombox.org; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+Dfunxk3tGbFYSGiulnn3S0WBtcg6f4Tv/rwSy9oXFY=; b=R0nAMu5bQlg+wxI6MkW7tzFqq3TZOaZF8mX1nOL3s9NGNq27yG3wre9kp2ziCp/wbV S4jgQxIdnTMnxwuAM74EDztZIu+D7Y9vmOJd6+mnnnC1dvafv5JZOiQvpnAjPzNgsZGs 9Nuyfsr+bW0SXFBwtpkZ81MR4X7Gv83UsASZlrcsGDvCFHKyXWDqcc4EfZheK9G94ae6 8KmlhiKMo2NhURQWM3W27MqVQYNn7HLulN4TrXMsrHSWsvAt/u4oXtmRc9oWmBzTKmF9 WQGXvjTFHHiD1JgkxjNU67reehN2AOnynEUTbKDB3ZBicfbhwpgpd24Et3sq9NH5RPDM D1Yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+Dfunxk3tGbFYSGiulnn3S0WBtcg6f4Tv/rwSy9oXFY=; b=tNDEg7Mrm3i8PckrNAKDdDNtrxKfGwVx/09lhx8aq54F1cjDVOIn+adkDpoWfJwzgJ f0o4Wt87bDxOCw2K8lQeykBfEL1mwCQOdnlVIqfk83Vfla7FJPR5gVYIV3IwTDipkdOP rmieo+9T3eh9UTLqUXQcQIJzbfzX6o3ShlSLQjYAM2tvw4hBJ8AdXgarkVgouKv1Zt88 KcgseAAN40BY7xcbw4iW/pQQ8BokIfWlpyg5gsJbPe8skJLvE8Amu+P74UUs8AKSElvc FHOmaOKZjwHlSKsC95HZUbc7baHnShzDsOqGIyAN4wxlsFK9pY4LKmt0oXhnKUpOwDyn GXIA==
X-Gm-Message-State: APjAAAWKswjd8BzH3YmChCkSuk7c58l6V4zcOslcXrE6GVlD7e+2/Avd NMYQYAlJa1lJRyQceIn5UCc8Hs+rQ6iFUCNi9Oof8crevG8=
X-Google-Smtp-Source: APXvYqx9JJF5Hptm1hDXJkMGuyJJydZ05rfesbJeqRmSTe9egsrr/xJI4kQ7+/pO80i4TPQiwYimxP9USYRpmvrtMuk=
X-Received: by 2002:a17:902:fe0e:: with SMTP id g14mr31037999plj.285.1570469146505; Mon, 07 Oct 2019 10:25:46 -0700 (PDT)
MIME-Version: 1.0
References: <20191007002348.GA23742@x2.esmtp.org> <20191007015616.BE113BB3D68@ary.qy> <CANtKdUeC0NVfvVpbHtwd=OoO=BoT8KNWVx8BGF-GPZPU-zo6QA@mail.gmail.com> <CAOEezJTH4Jukz2J4jSDfixECg2Jyyk4+cDnasiAoa4Q2F9=ZZw@mail.gmail.com> <b0dae4ca6e95dc83ca70f71ad780a1432273bcf5.camel@aegee.org>
In-Reply-To: <b0dae4ca6e95dc83ca70f71ad780a1432273bcf5.camel@aegee.org>
From: Viruthagiri Thirumavalavan <giri@dombox.org>
Date: Mon, 07 Oct 2019 22:55:19 +0530
Message-ID: <CAOEezJRXUZkPoJn_kV92q=OQoUs32VzTR5a0JeAKg6NYBW55=Q@mail.gmail.com>
To: Дилян Палаузов <dilyan.palauzov@aegee.org>
Cc: SMTP Discuss <ietf-smtp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009bcaea0594555787"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/XjKL6k5ynMXfg5Vz5xwDm_2ZldE>
Subject: Re: [ietf-smtp] why are we reinventing mta-sts ?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 17:25:50 -0000

>
> Much more people know how to configure an HTTPS server, than to configure
> a SMTP server (with STARTTLS).  So configuring
> HTTPS is not an obstacle.  Since, soon or late a mail server operator will
> want to reject emails that fail DMARC
> validation, the operator will have to learn DKIM.  Then set some custom
> email rules, AV/AS and so on.  Setting up HTTPS
> (and a web-based mail client) looks trivial compared to the remaining
> pieces.


We both use a different demographic to define "end user" for MTA-STS. The
way you see it, an end user is a "mail server operator".  The way I see it,
an end user is a "small business" who hosts their mails in a third party
mail service like Gmail. Configuring an HTTPS server is not going to be
easy for such small businesses.

This comment <https://news.ycombinator.com/item?id=19629569> portrays that
part more clearly.

I'd like to be wrong, but with the nature of this standard, I don't expect
> heavy adoption. If a person is deploying G Suite or Office 365 or similar,
> they get asked to setup MX records, TXT for SPF, possibly DKIM and so on.
> If I could create a record that says "use the policy Microsoft/Google
> publish", it would be a no brainer. And it would take off because, much
> like SPF, these groups can just add it to their onboarding checklist.
> As soon as you say "deploy an end point on your domain", it falls in the
> too hard basket for unimportant domains. Moreover, in a corporate situation
> the people running mail have no involvement in web endpoints. For the mail
> domains I professionally manage, that falls into the domain of another
> department, and the people involved in running web endpoints are going to
> say something like "if it was important, Wordpress would do it already for
> us".


On Mon, Oct 7, 2019 at 9:09 PM Дилян Палаузов <dilyan.palauzov@aegee.org>
wrote:

> Hello,
>
> On Mon, 2019-10-07 at 18:55 +0530, Viruthagiri Thirumavalavan wrote:
> > (3) Not all end users have knowledge about how to configure an HTTPS
> server. This is the reason why most of them relying on third party mail
> hosting services like Gmail for hosting their mails. They can follow simple
> things like adding a DNS record. But configuring an HTTPS server is going
> to be a rocket science for them.
> >
>
> Much more people know how to configure an HTTPS server, than to configure
> a SMTP server (with STARTTLS).  So configuring
> HTTPS is not an obstacle.  Since, soon or late a mail server operator will
> want to reject emails that fail DMARC
> validation, the operator will have to learn DKIM.  Then set some custom
> email rules, AV/AS and so on.  Setting up HTTPS
> (and a web-based mail client) looks trivial compared to the remaining
> pieces.
>
> The HSTS (http strict transport security) preload list,
> https://hstspreload.org/, is knowledge in HTTP browsers, about
> sites, which serve content explicitly over HTTPS.  Browsers use the
> knowledge and do not contact the hosts under the
> listed domains over pure HTTP.
>
> Similar to it, there is a MTA-STS (smtp strict transport security) preload
> list: a set of hosts, which can serve SMTP
> over TLS.  The list is hosted at https://starttls-everywhere.org/ .  This
> list functions just like HSTS preload list,
> but for port 25.
>
> Talking about SMTP and TLS is bi-fold.  There are incoming and outgoing
> connections.  Depending on the MTA, setting up a
> MTA that applies DANE for outgoing connections can be done very easily, so
> in the context of outgoing connections,
> utilizing DANE/DNSSEC can be easier than MTA-STS.
>
> Installing the MTA-STS preload list on the own MTA, and using it for
> outgoing connections, can be easier than
> configuring MTA-STS for outgoing connections.
>
> Deploying/enforcing DANE for outgoing connections is equally hard compared
> to deploying MTA-STS for outgoing
> connections, when the used MTA offers neither features.
>
> To sum up, the options in the MTA are:
> * for outgoing connections:
>   - check MTA-STS (without necessary publishing own MTA-STS records)
>   - check DANE (without having deployed DNSSEC for the own domain)
>   - check the STARTTLS-everywhere preload list for the destination host
>   - consider sending your own certificate during establishing the TLS
> tunnel (nearly nobody does this)
>
> * for incoming connections:
>   - publish MTA-STS records
>   - publish DANE records, once DNSSEC is set up
>   - add an entry in the MTA-STS preload list
>
> * for both: speak TLS 1.3 .
>
> What are the pros and cons of sending the certificate of the SMTP client
> to the SMTP server, during STARTTLS?
>
> Regards
>   Дилян
>
>

-- 
Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.

v2.23.0 | Report a Bug | By Email