Re: [ietf-smtp] How to encrypt SMTP?
Дилян Палаузов <dilyan.palauzov@aegee.org> Sat, 26 October 2019 13:33 UTC
Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16D961200A3 for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 06:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDSbjSAV5xPC for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 06:33:36 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35BC120024 for <ietf-smtp@ietf.org>; Sat, 26 Oct 2019 06:33:35 -0700 (PDT)
Authentication-Results: mail.aegee.org/x9QDXWvg031132; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1572096814; i=dkim+MSA-tls@aegee.org; r=y; bh=twyly735QYVD9lNm/3sn98NVVkm2CLZ80QhplYUqASQ=; h=Subject:From:To:Date:In-Reply-To:References; b=DcSqt6o1qtligDC4WnBjhHpwog2Hka9SatyVMXWvm/57GkbLf2VZm22NygpihAyL1 0TMg+CB81VGzFbiGZYjifTfu3hdzOMGyJRSnuCD4D4zRiWQ3FYjcttDIeNL9ZHV8Mj IhIbPa3f2v0PRG1sj72/ik49yTMQY6slR9FbYW7bJKr0YW8dP8IkrhsSH5B7hF5cxl C9Kz/K8akKRxGf9QBk9vBfQuiXjjSzHRn6/0QHU8bghXhZ7rQWFBBIN8qBe9360lKQ c0fG4vAfrf/5IYCjhDcy4Qrz0DFU5o5vdOnDe1tgiVaDaL7EN924qitEX85QCEaGNI nBdwpQ6pJyM25UrqhYCDobuWADwJutgmBBQEYHER0DbkhZKVbeuoc5cbdCXOfm5ECU OeYzi4nBN2flh81D/WMUMFirEQvbr7N/SWR//qCAK9EU3ROmhbJbg9C4EuyILn6W6/ 2ODD21tSUXw8Tjg0izn+cHRd+kGGnSrE+u9ACKUo6iDFzDrl7GGV9ymTQu+Xia4k3z yKQCwcui5Euh97IlYGI9ZwQfC1FAMzfZGVuVJeER1dgF+Ztblzn5M+83Wdz/02XWvy dModQz5TLaColiqjI2+D2fkOzqwFBCfJpvJUD1QFpboIg949SuLMd4A3C1tqxFL/Dy 4QFRhXCN5CDXSbSPU6EK1thI=
Authentication-Results: mail.aegee.org/x9QDXWvg031132; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg [87.118.146.153]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x9QDXWvg031132 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <ietf-smtp@ietf.org>; Sat, 26 Oct 2019 13:33:33 GMT
Message-ID: <de6d60415a2e3c9e3ab95690ca71b4e7cae94cf2.camel@aegee.org>
From: Дилян Палаузов <dilyan.palauzov@aegee.org>
To: ietf-smtp@ietf.org
Date: Sat, 26 Oct 2019 13:33:32 +0000
In-Reply-To: <8B777B0F-6CA9-4683-92BD-2882C62A7D36@dukhovni.org>
References: <1420291b5ffe6b65da9bd8e933648b6029dd4c94.camel@aegee.org> <8B777B0F-6CA9-4683-92BD-2882C62A7D36@dukhovni.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.35.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.4 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/Y-U0x0y9nEQYlX_GEY1iuaapoUQ>
Subject: Re: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Oct 2019 13:33:38 -0000
Hello Viktor, thanks for your answer. Why is it common for https-providers to offer both RSA and EC certificates, but it is not common for IMAP or SMTP providers to offer EC certificates? I mean, if EC offers less calculations without sacrificing security, why nobody makes use of this? > DANE (~3 years earlier) specifies at least TLS 1.0 and SHOULD TLS 1.2: > > https://tools.ietf.org/html/rfc7671#section-3 > > The Postfix TLS implementation does not allow enable ciphers > when TLS is mandatory, and these are rapidly disappearing > entirely from TLS stacks. > I do not get the last paragraph. Greetings Дилян > > Does somebody offer both EC and RSA certificates on its smtp:25 server and had this ever caused problems? > > This generally just works. > > > Does somebody offer both EC and RSA certificates with DANE on its smtp:25 server and had this ever caused problems? > > Yes, there are such sites. This just works with MTA-STS and DANE-TA(2) > trust-anchor TLSA RRs, as only the name in the certificate matters, the > algorithm is not so important. With DANE-EE(3), the TLSA RR becomes > public-key-dependent, and multiple TLSA RRs are needed when fielding > certs for multiple algorithms. See > > https://www.mail-archive.com/dane-users@sys4.de/msg00284.html > https://www.mail-archive.com/dane-users@sys4.de/msg00285.html > > But multi-cert MTAs are uncommon, and this is not actually difficult > to get right, single-cert rollover blunders account for almost all > problem cases. > > > How much bits shall DH params have to support acceptable amount of mailhosts? > > I don't know of any MTAs that will refuse 1024-bit DH, but better to > use 2048 and better still ECDHE with P-256. > > > Do too big DH params break some clients? > > Yes, Java. > > > What elliptic curves shall be offered, so that the communication works with acceptable amount of hosts? > > The "market consensus" is NIST P256, everything else is rare, > but you need to enable negotiation, and also support P384, > just in case. There is also non-trivial use of X25519 these > days, but systems that use it, can also use P256 as needed. >
- [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] How to encrypt SMTP? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Hector Santos
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] How to encrypt SMTP? Jeremy Harris
- Re: [ietf-smtp] How to encrypt SMTP? John R Levine
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] encouraging PRDR (was: How to enc… Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni