Re: [ietf-smtp] How to encrypt SMTP?
Keith Moore <moore@network-heretics.com> Sun, 27 October 2019 01:03 UTC
Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD3A120104 for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 18:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3VmRo3_gF9Zm for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 18:02:58 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A6451200FF for <ietf-smtp@ietf.org>; Sat, 26 Oct 2019 18:02:58 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id A4AAE2E4; Sat, 26 Oct 2019 21:02:57 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Sat, 26 Oct 2019 21:02:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=gmgpPN/YCjl7nxfDXryAQXADtyQSOpRSRMyOMTszo nQ=; b=e0iHerMmrl4nsvFCegWswW6cGHD16HMquQNZEsjykdsnXDuZjsrXAcUrB NMrChQTQjWzy8w637zQAyw7xJcNG+2aigDhTBMfUyTY71xxSmbQOjbCN+d50k2yI InvxLgZG6mGW868L2mhsERt2D4oWo72CA5i21Zz3zBQiT1TUzb6EJUH50kFe3c7M hPne2ZZwgYZ3l/dDgRtmFi3r9sr6HzeLay+CfzFF6cL08U1i1SRMQhhRy/7uavhi /HThB2b+LGmWXiUyPAHg/U0JB50Wk7Lq1U3yRCohbaWtbxZU/kfi9xdrL2FV7fMA LWmwpbPREsj/NOBZI5JNv20hkQbXw==
X-ME-Sender: <xms:wOy0XaoStep_3JwXVLq5VMgZiVbUkyc4Hajjqog34STlP6tvKtJaxg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrleeigdegvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesthekre dttdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecukfhppedutdekrddvvddurddukedtrdduhe enucfrrghrrghmpehmrghilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgv thhitghsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:wOy0XedFPG57L-tD-JLXR7R3eR3wdOudcInvrRNEEOnRR64S3ahbeQ> <xmx:wOy0XRRj3f7DRY6to3d4UocOw2kSm1j8REo5Gpup3wIZMYk7Pv1_zA> <xmx:wOy0XSc-WAz7amD81rO2lUewgHIZLCDp160IJX1ttYl9zuaVs2X6TA> <xmx:wey0XS0wsXEksFKLMGpCLPbu-9uZcuJAjQZ5q2rx6Rl4gFbQVt1CkA>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 82C75D6005B; Sat, 26 Oct 2019 21:02:56 -0400 (EDT)
To: ietf-smtp@ietf.org
References: <20191027002554.260ABD7437F@ary.qy> <344aaf1f-df91-ffb9-38bc-527d159a2ca6@network-heretics.com> <alpine.OSX.2.21.99999.368.1910262041440.10592@ary.qy>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <ee3b3211-a0be-b6f3-b551-0027fcea63c4@network-heretics.com>
Date: Sat, 26 Oct 2019 21:02:55 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.99999.368.1910262041440.10592@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/dOqVlLxJ3misJ20QA6Na4GzYOmM>
Subject: Re: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Oct 2019 01:03:01 -0000
On 10/26/19 8:47 PM, John R Levine wrote: >> Maybe it's not necessary, but I don't know how widely mta-sts is >> being required. What are the barriers to server operators turning >> on MTA-STS everywhere? > I expect the main barrier is that large scale operators see failures > on legit traffic that would be invisible to us little guys, but enough > of them that they're not ready to accept that level of breakage. Yeah, that's what I was getting at. I've often suspected that there were more distinct implementations of SMTP than nearly any other protocol, even more than HTTP. That's a lot of implementations that need to be upgraded (at least, all of those used for mail relaying and not merely submission), and I'd expect the long tail to take a long time. If I were an email service operator I'd be reluctant to reject legitimate mail. But of course spam filters are already doing this to an astonishingly high degree and that has become accepted practice (sigh). So maybe a general requirement to use TLS for mail relaying between administrative domains wouldn't look like a huge change. Maybe it would even be justified as a spam deterrent. My only thought regarding 4xx was that sometimes a soft incentive works better than a hard one. If relaying mail by cleartext still "worked", only more slowly because clients had to retry X% of the time, that seems to me to provide a more workable feedback path to the operators not using TLS, than a sudden hard refusal to accept cleartext SMTP. > I believe it's the same reason that Google doesn't sign their domains > with DNSSEC. They certainly could if they wanted to. Nor sure I get the analogy. AFAIK if Google signed their domains, the only things that would break would be broken DNS clients/resolvers doing verification, which would hopefully be few in number. Keith
- [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] How to encrypt SMTP? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Hector Santos
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] How to encrypt SMTP? Jeremy Harris
- Re: [ietf-smtp] How to encrypt SMTP? John R Levine
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni
- Re: [ietf-smtp] How to encrypt SMTP? John Levine
- Re: [ietf-smtp] How to encrypt SMTP? Дилян Палаузов
- Re: [ietf-smtp] encouraging PRDR (was: How to enc… Keith Moore
- Re: [ietf-smtp] How to encrypt SMTP? Viktor Dukhovni