Re: IETF mail server and SSLv3
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 05 February 2016 16:36 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 521B31B317F for <ietf@ietfa.amsl.com>; Fri, 5 Feb 2016 08:36:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TndTQ23rUDtf for <ietf@ietfa.amsl.com>; Fri, 5 Feb 2016 08:36:42 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC8041B320E for <ietf@ietf.org>; Fri, 5 Feb 2016 08:36:41 -0800 (PST)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id DFF7A282C3D for <ietf@ietf.org>; Fri, 5 Feb 2016 16:36:40 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Subject: Re: IETF mail server and SSLv3
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <01PWBHCOQZTW00008P@mauve.mrochek.com>
Date: Fri, 05 Feb 2016 11:36:39 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <41DAD220-5501-47DF-8484-340F86180CFC@dukhovni.org>
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org> <20160204024001.GM19242@mournblade.imrryr.org> <C9624BB55C713BCF83E4A552@7AD4D3FB4841A5E367CCF211> <08CEE02F-74DF-4C5E-A116-AB66FD8516FA@dukhovni.org> <01PWAPWAKLJI00008P@mauve.mrochek.com> <20160205041346.GS19242@mournblade.imrryr.org> <01PWBEB7DVJY00008P@mauve.mrochek.com> <20160205154435.GT19242@mournblade.imrryr.org> <01PWBHCOQZTW00008P@mauve.mrochek.com>
To: ietf@ietf.org
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/XsDRJL5tufR77gyKBZzj2OeCn5s>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 16:36:43 -0000
> On Feb 5, 2016, at 11:04 AM, Ned Freed <ned.freed@mrochek.com> wrote: > >> As for a delay of < 5 minutes delivering email to such broken sites >> it is, for most users, a reasonable trade-off to reduce needless >> TLS fallback in the face of routine transmission glitches. > > That's a consequence of piggybacking cleartext fallback on the deferral > mechanism you use for transmission failures. It doesn't have to be done this > way. Final comment. Cleartext fallback in Postfix is NOT piggybacked on the deferral mechanism, in fact until quite recently cleartext fallback was done synchronously during the initial delivery. And in fact, it is still synchronous now, because the second delivery still tries TLS again (just in case the first failure was a fluke) and then retries in cleartext without extra delay (beyond the time it takes to try and fail TLS). The new approach is a careful compromise that avoids over-eager cleartext fallback on the first attempt, not because we don't have the code to do it right away, but because we *chose* to delay and try TLS again. With that, I'm done imposing on ietf@ietf.org in this thread. Sorry about the noise. -- -- Viktor.
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 John Levine
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- IETF mail server and SSLv3 IETF Chair
- Re: IETF mail server and SSLv3 tom p.
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Derek Atkins
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Russ Housley
- Re: IETF mail server and SSLv3 Randy Bush
- Re: IETF mail server and SSLv3 Stephen Farrell
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Doug Barton
- RE: IETF mail server and SSLv3 Christian Huitema