Re: [Uta] MTA-STS-03 review
Daniel Margolis <dmargolis@google.com> Fri, 24 March 2017 17:00 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0286A127337 for <uta@ietfa.amsl.com>; Fri, 24 Mar 2017 10:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzRUsXbWRYoi for <uta@ietfa.amsl.com>; Fri, 24 Mar 2017 10:00:26 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FC96127078 for <uta@ietf.org>; Fri, 24 Mar 2017 10:00:26 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id y18so14637856itc.0 for <uta@ietf.org>; Fri, 24 Mar 2017 10:00:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=URZM5vXKdFt0jLhAilwZ46Pe5D5wLlMxIryu4iEgAEY=; b=fLwAqsUMFmXvSvJI6jN5BFv6xygjQnaRExbt1Jh0wTvDAwdT2JBMj7Da3mOK7oZMLW /RPe0RGTJo8+A9MmXlbY3qkwpXvVfbsUX9/wrvvwVcrmbxtuT/LTeij8lnIMGeWdSYMt PCCAAjOwj/N4m0fYQ859J2ewLvFMiixXwyzJcCwSF5t1t9g1G3bxseo03tdbuhW+A7O1 4b0meYNgO2fajI+SIhL+o0OmY+RqYR+JfHls8NqXxvp59F6OSlcqxGdhEHCTJ9aZnpOc 7v0ViMYSdmIjxxRYMeIo3Nvb2DsWfxoiifR4axUx4EuoaNcIGEDb/4hnSCr69YoEA8MI CwbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=URZM5vXKdFt0jLhAilwZ46Pe5D5wLlMxIryu4iEgAEY=; b=cR8H58INlif3W7Dk501ynWCwlGmaHyfZOqdF3+WTfeNtGa0v6x+vf6I3AJCy21gGM8 INNEqzBswUea4zDXyY2gLstZldynPRS2QX13lR88TdKUGEYNStef1vCZs98wbBmn+rgs jwNymti4qZM46FzYfDygo6/l0jjbwbL/BPi+NPHTC0CQ6D31N26oMeRrGsSpdgtq/WEc fet+Stvk+XVd5V5YMx+qhBXUrHVHx0L63A9h4dBz1g3W2klOlWLJ3l99yffJ4cNGvon7 YZW0e10dhdHgjpRASQvaHjDhfR3E3u2y7qAZruWmGYgRp1qD8WzDlLzte/ji13S48PEO +zOg==
X-Gm-Message-State: AFeK/H15lrAKHXH4STn0DjCYKUSUqp7ae5BADAHl1vkn4J7mIKpsfEegQHY5iZNDts5qf+hQ9WK/E/+3o3grApPJ
X-Received: by 10.36.80.213 with SMTP id m204mr3840840itb.105.1490374825018; Fri, 24 Mar 2017 10:00:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Fri, 24 Mar 2017 10:00:23 -0700 (PDT)
In-Reply-To: <4C0807DA-4852-4DAC-80ED-8A25371CFFAA@dukhovni.org>
References: <4C0807DA-4852-4DAC-80ED-8A25371CFFAA@dukhovni.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Fri, 24 Mar 2017 18:00:23 +0100
Message-ID: <CANtKdUcZcpUFBHw+O2XL8vFL5ChjjZfpcGn_mQxXFFuEgNYK=w@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1145f2fa139ec2054b7ceefa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/2WyjAmDqGQBiGPpk58fdxLcHXOg>
Subject: Re: [Uta] MTA-STS-03 review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 17:00:32 -0000
> > > 6.1. Policy Updates > > > > Updating the policy requires that the owner make changes in two > > places: the "mta-sts" TXT record in the Policy Domain's DNS zone and > > at the corresponding HTTPS endpoint. In the case where the HTTPS > > endpoint has been updated but the TXT record has not yet been, > > senders will not know there is a new policy released and may thus > > continue to use old, previously cached versions. Recipients should > > thus expect a policy will continue to be used by senders until both > > the HTTPS and TXT endpoints are updated and the TXT record's TTL has > > passed. > The lifetime could be longer. Some MTAs may initiate *background* refresh > of unexpired policies after the DNS TXT record is found to have changed, > which may not happen until the first message to the destination is sent > after that change, and *that* message may well go out based on the already > cached policy while the refresh is in process. If the policy no longer > matches reality, the message may be deferred, and would perhaps succeed > on retry with a more current policy. > So the TXT record will not guarantee refresh in any particular timeframe. > If no mail is sent to the destination, the policy may expire unused despite > the TXT record change. I'm no longer sure what this section was meant to convey. If I switch my policy from policy A to policy B at time t1, anyone may nonetheless continue to use policy A up until t1 + max_age_A, but no longer, regardless of when they fetched it. Policies *must not* be used longer than max_age past the last time they were actually being served. The DNS TTL doesn't really come into it. I think we added this section to try to clarify a different case (not relating to max_age): when publishing a new policy (B), people may continue to use A *and not try to get B even on failure* for the duration of the TTL (because checking the TXT record will not indicate that there is in fact a new policy). So I will clarify that part. On Wed, Mar 22, 2017 at 6:04 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > [ I've pasted in the entire draft, and "quoted" it as though it > were a post to trim an reply to. ] > > > SMTP MTA Strict Transport Security (MTA-STS) > > draft-ietf-uta-mta-sts-03 > > > > Abstract > > > > SMTP Mail Transfer Agent Strict Transport Security (SMTP STS) is a > > mechanism enabling mail service providers to declare their ability to > > receive TLS-secured connections and an expected validity of > > certificates presented by their MX hosts, and to specify whether > > sending SMTP servers should refuse to deliver to MX hosts that do not > > offer TLS with a trusted server certificate. > > In the abstract I think that "TLS-secured" already covers certificate > validity (which makes for a clumsy insertion into the text anyway). > Also instead of "TLS-secured connections" say "TLS-secure SMTP > connections". > > See https://www.rfc-editor.org/materials/abbrev.expansion.txt for the > list of common IETF acronyms, and which are sufficiently widely used > to not need to be expanded on first use. Thus SMTP and ESMTP are fine > with expansion, but apparently we've not yet reached similar familiarity > with TLS. :-) > > > 1. Introduction > > > > The STARTTLS extension to SMTP [RFC3207] allows SMTP clients and > > hosts to negotiate the use of a TLS channel for secure mail > > transmission. > > I would drop "secure" above, or replace it with "encrypted". > > > > While such _opportunistic_ encryption protocols provide a high > > While "_" may work as italics in MarkDown, you'll need to change all > these to RFC XML (where IIRC <i>...</i> may be supported, but don't > take my word for it, check). > > More importantly, you've made quite a leap here from talking about > RFC 3207, which merely defines an SMTP extension mechanism, to assuming > that the reader knows how the extension is typically used. It also > important to recall that opportunistic security (as defined in RFC7435) > subsumes both MTA best-effort unauthenticated encryption, and the new > opportunistically authenticated DANE and STS use-cases. With DANE and > STS transmission is protected only when and as receiving system publishes > the requisite policy records. DANE offers stronger downgrade protection, > at the cost of requiring DNSSEC to achieve that goal. > > > barrier against passive man-in-the-middle traffic interception, > > therefore the "passive-only" protection is a feature of unauthenticated > opportunistic security, as practiced by most MTAs at present. > > > This document defines a mechanism for recipient domains to publish > > policies specifying: > > > > o whether MTAs sending mail to this domain can expect TLS support > > > > o expected validity of server certificates presented by the domain's > > MX hosts > > It seems to me that STS does not provide any means to signal > unauthenticated TLS support. And so, as in the abstract, the > above two bullets are really just one, "WebPKI TLS security". > > > 1.1. Terminology > > > > We also define the following terms for further use in this document: > > > > o STS Policy: A committment by the Policy Domain to support PKIX > > authenticated TLS for the specified MX hosts. > > Which I think confirms my point about "authenticated TLS" as the > only available commitment. > > > o Policy Domain: The domain for which an STS Policy is defined. > > (For example, when sending mail to "alice@example.com", the policy > > domain is "example.com".) > > Perhaps this should mention that more generally this is the nexthop > domain for SMTP delivery, and when mail routing is preƫmpted by > by explicit relays via local policy, the Policy domain is the > domain name of the explicit relay (prior to any MX lookups if > applicable). > > > o Policy Authentication: Authentication of the STS policy retrieved > > for a recipient domain by the sender. > > This definition seems all too circular. What does it actually mean? > > > 2. Related Technologies > > > > The DANE TLSA record [RFC7672] is similar, in that DANE is also > > designed to upgrade opportunistic, unauthenticated encryption into > > required, authenticated encryption. > > Opportunistic DANE TLS upgrades unauthenticated encryption or even > cleartext delivery to downgrade-resistant authenticated TLS. (Side > note, not for the draft, for actually non-opportunistic TLS see > Jim Fenton's REQUIRETLS proposal). STS aims to do the same, but > without requiring TLS at the cost of losing some downgrade protection. > > > DANE requires DNSSEC [RFC4033] > > for authentication; the mechanism described here instead relies on > > certificate authorities (CAs) and does not require DNSSEC. For a > > thorough discussion of this trade-off, see the section _Security_ > > _Considerations_. > > The Security Considerations section (once again this is not MarkDown) > will need to properly discuss the downgrade exposure of STS on first > contact, and this trade-off probably should be mentioned here up-front. > > > In addition, SMTP STS provides an optional report-only mode, enabling > > soft deployments to detect policy failures. > > It is easy to define a couple of new "certificate usage" code-points > for DANE that similarly signal "soft-fail" (with reporting). Would > the group strongly support a draft along those lines? I am not sure > that a merely "tamper-evident" operating mode is a good idea as a > persistent operating state, and I think that the ability to have > one or more (backup, i.e. worse preference) MX hosts without TLSA > records adequately addresses the need for incremental deployment. > > > 3. Policy Discovery > > > > To discover if a recipient domain implements MTA-STS, a sender need > > only resolve a single TXT record. To see if an updated policy is > > available for a domain for which the sender has a previously cached > > policy, the sender need only check the TXT record's version "id" > > against the cached value. > > Given earlier discussion on the list, while new "id" values can give > expedited signals to refresh the policy, it may be appropriate here, > (but perhaps later in the document as you see fit) to describe a > recommended approach to proactively refresh policies prior to their > pending expiration, this reduces the probability of "gaps" in policy > coverage if the remote HTTPS service is unavailable just as a policy > is expiring. > > In practice (say in Postfix, if/when STS is implemented) I wouldn't > go looking through the cache for policies to refresh except when > delivering mail to the destination in question. I don't want the > cache to become a roach motel for policies to destinations I never > again send mail to. If communication with a destination ceases > completely, it is not unreasonable to let its STS policy simply > age out. Google et. al. may of course choose indefinite data > retension (data retentiveness is Google's business), but for > SOHO and enterprise MTAs, the above may be more appropriate. > > > 3.2. MTA-STS Policies > > > > This JSON object contains the following key/value pairs: > > > > o "version": (plain-text, required). Currently only "STSv1" is > > supported. > > > > o "mode": (plain-text, required). Either "enforce" or "report", > > indicating the expected behavior of a sending MTA in the case of a > > policy validation failure. > > > > o "max_age": Max lifetime of the policy (plain-text non-negative > > integer seconds, required). Well-behaved clients SHOULD cache a > > policy for up to this value from last policy fetch time. To > > mitigate the risks of attacks at policy refresh time, it is > > expected that this value typically be in the range of weeks or > > greater. > > A more comprehensive mitigation for attacks "at policy refresh time" > would entail not just a long lifetime, but proactive refresh as mentioned > above. > > > o "mx": MX patterns (list of plain-text MX match strings, required). > > One or more patterns matching the expected MX for this domain. > > For example, "["*.example.com", "*.example.net"]" indicates that > > mail for this domain might be handled by any MX with a hostname at > > "example.com" or "example.net". Valid patterns can be either > > hostname literals (e.g. "mx1.example.com") or wildcard matches, so > > long as the wildcard occupies the full left-most label in the > > pattern. (Thus "*.example.com" is valid but "mx*.example.com" is > > not.) > > Here, as discussed on the list, serious consideration should be given > to changing the semantics from validating the MX hostname to specifying > the names allowed in the server's certificate. This simplifies MX > processing > (which remains unmodified) and merely changes the conditions under which an > MX host is considered suitably authenticated per the policy. > > Which, for example, allows the MX hosts to share a single certificate > with the destination domain (and not the MX hostname) as its DNS SAN. > If the policy lists that (shared) name as what's expected in the > certificate, > then authentication succeeds when the MX host's certificate matches one of > the allowed names. > > It should be made clear that the names here are always in A-label form > and not U-label form (as they also are in DNS names in certificates). > > Furthermore, I think that using "*.example.com" in what are essentially > (rfc6125) reference identifiers creates confusion with similar-looking, but > semantically distinct wildcard names in certificates. My suggestion was > ".example.com" for sub-domain matching, with the policy optionally > specifying > whether only single-label prefixes are accepted, or whether in fact > multi-label > prefixes are also valid. > > > An example JSON policy is as below: > > > > { > > "version": "STSv1", > > "mode": "enforce", > > "mx": ["*.mail.example.com"], > > "max_age": 123456 > > } > > FWIW, I would have chosen something less fancy than JSON for > what is clearly a simple array of attribute/value pairs. ESMTP > already encodes such optional A/V pairs as space separated lists > of attr=value with xtext encoding as needed (it is not needed for > any plausible value of the above attributes). > > We're not going to add a JSON decoder to the Postfix SMTP client, > but if this specification retains JSON, then the code that does > background policy retrieval will need to transform JSON into > something more friendly to traditional C-based MTA implementations. > > > 4. Policy Validation > > Are we validating the policy or using the policy to authenticate > the MX host? I think the name of this section is suboptimal. > > > When sending to an MX at a domain for which the sender has a valid > > and non-expired SMTP MTA-STS policy, a sending MTA honoring SMTP STS > > MUST validate: > > s/validate/check/ or /ensure/. > > > 1. That the recipient MX matches the "mx" pattern from the recipient > > domain's policy. > > See above, perhaps "mx" becomes "san" and the check is deferred until > it is time to verify the host's certificate. > > > 2. That the recipient MX supports STARTTLS and offers a valid PKIX > > based TLS certificate. > > Here, it would be prudent to mention rfc6125, and be explicit about > the acceptable wildcard patterns in that certificate. See, for example: > > https://tools.ietf.org/html/rfc7672#section-3.2.3 > > which limits certificate wildcards to the entire first label only. I > would like to avoid supporting more general wildcards in new > specifications. > > > This section does not dictate the behavior of sending MTAs when > > policies fail to validate; in particular, validation failures of > > policies which specify "report" mode MUST NOT be interpreted as > > delivery failures, as described in the section _Policy_ > > _Application_. > > The first sentence is unfortunate, you are in fact specifying behaviour, > in the very next sentence. It might be better to add a forward-reference > to a section that provides a detailed explanation and not start with a > disclaimer. > > > 4.1. MX Matching > > > > When delivering mail for the Policy Domain to a recipient MX host, > > the sender validates the MX match against the "mx" pattern from the > > applied policy. The semantics for these patterns are those found in > > section 6.4 of [RFC6125]. > > Assuming this text survives, replace: > > validates the MX match against the "mx" pattern > > with something like > > ensures that the MX host name is consistent with the "mx" > property of the STS policy (only matching MX hosts are > used in delivery attempts). > > The reference to rfc6125 is rather unfortunate here, since it defines > semantics for presented identifiers, not reference identifiers. > > > 4.2. MX Certificate Validation > > > > The certificate presented by the receiving MX MUST be valid for the > > MX hostname and chain to a root CA that is trusted by the sending > > MTA. The certificate MUST have a CN or SAN matching the MX hostname > > (as described in [RFC6125]) and be non-expired. > > Here, if the proposal to switch from "mx" to "san" is taken up, the > peer certificate is no longer restricted to authenticate the MX hostname, > rather, one its presented identifiers needs to match one of the reference > identifiers fro the "san" policy attribute. Either way some discussion > is appropriate of how to perform matching when both the reference and > the presented identifiers are "wildcards". > > > 5. Policy Application > > This is an appropriate target for the afore-mentioned forward-reference. > > > When sending to an MX at a domain for which the sender has a valid, > > non-expired STS policy, a sending MTA honoring SMTP STS applies the > > result of a policy validation one of two ways, depending on the value > > of the policy "mode" field: > > > > 1. "report": In this mode, sending MTAs merely send a report (as > > described in the TLSRPT specification (TODO: add ref)) indicating > > policy application failures. > > > > 2. "enforce": In this mode, sending MTAs treat STS policy failures > > as a mail delivery error, and MUST NOT deliver the message to > > this host. > > We should not confuse "delivery error" with "authentication failure". > When one MX host fails authentication, the next MX host should be > tried. And, I think it should be mentioned that if all the MX > hosts (that the sender is willing to try) fail authentication, the > message should be deferred, not bounced. > > > When a message fails to deliver due to an "enforce" policy, a > > compliant MTA MUST check for the presence of an updated policy at the > > Policy Domain before permanently failing to deliver the message. > > This allows implementing domains to update long-lived policies on the > > fly. > > This seems to suggest the contrary, i.e. that it might be appropriate > to bounce on policy failure when a more fresh policy still fails. > However certificate problems (expiration most typically) are transient, > and a receiving system operator should/may notice the problem before > outstanding messages expire and bounce. So I would urge implementors > to queue, rather than bounce, on authentication failure. > > > 5.1. MX Preference > > This section would go if a switch from "mx" to "san" takes place. > > > 5.2. Policy Application Control Flow > > > > An example control flow for a compliant sender consists of the > > following steps: > > Step 0: If the sending MTA is DANE-capable, the destination is > DNSSEC signed, and one or more of the MX hosts have DANE TLSA > records, then DANE TLSA preempts STS (more downgrade-resistant, > works on first contact, ...). > > This is another reason to avoid STS-based MX filtering, with DNSSEC > signed destinations the security of the MX records is sufficiently > established, and we need to be able to proceed with DANE MX by MX, > using STS policy only for MX hosts with no TLSA records. > > > 1. Check for a cached policy whose time-since-fetch has not exceeded > > its "max_age". If none exists, attempt to fetch a new policy. > > (Optionally, sending MTAs may unconditionally check for a new > > policy at this step.) > > Is "attempt to fetch" well understood at this point? The attempt only > happens if the DNS TXT record is in place... > > > 2. Filter candidate MXs against the current policy. > > See "san" vs. "mx" issue above. Also proceed with non-STS delivery > absent any policy. > > > 3. If no candidate MXs are valid and the policy mode is "enforce", > > temporarily fail the message. (Otherwise, generate a failure > > report but deliver as though MTA STS were not implemented.) > > Ditto. > > > 4. For each candidate MX, in order of MX priority, attempt to > > deliver the message, enforcing STARTTLS and the MX host's PKIX > > certificate validation. > > Well, no so much enforcing as performing, authentication may be allowed > to fail in "report" mode. And of course only if there is an STS policy > to use. > > > 5. Upon message retries, a message MAY be permanently failed > > following first checking for the presence of a new policy (as > > indicated by the "id" field in the "mta-sts" TXT record). > > I think this is a mistake. Please do not turn transient errors into > permanent failures. > > > 6.1. Policy Updates > > > > Updating the policy requires that the owner make changes in two > > places: the "mta-sts" TXT record in the Policy Domain's DNS zone and > > at the corresponding HTTPS endpoint. In the case where the HTTPS > > endpoint has been updated but the TXT record has not yet been, > > senders will not know there is a new policy released and may thus > > continue to use old, previously cached versions. Recipients should > > thus expect a policy will continue to be used by senders until both > > the HTTPS and TXT endpoints are updated and the TXT record's TTL has > > passed. > > The lifetime could be longer. Some MTAs may initiate *background* refresh > of unexpired policies after the DNS TXT record is found to have changed, > which may not happen until the first message to the destination is sent > after that change, and *that* message may well go out based on the already > cached policy while the refresh is in process. If the policy no longer > matches reality, the message may be deferred, and would perhaps succeed > on retry with a more current policy. > > So the TXT record will not guarantee refresh in any particular timeframe. > If no mail is sent to the destination, the policy may expire unused despite > the TXT record change. > > > 8. Security Considerations > > > > Since we use DNS TXT records for policy discovery, an attacker who is > > able to block DNS responses can suppress the discovery of an STS > > Policy, making the Policy Domain appear not to have an STS Policy. > > The sender policy cache is designed to resist this attack. > > Well, not "resist" so much as reduce the effectiveness, since it will > now only be effective on first contact, or perhaps when no mail is sent > to the destination for a long time and the cached policy expired. > > > We additionally consider the Denial of Service risk posed by an > > attacker who can modify the DNS records for a victim domain. Absent > > SMTP STS, such an attacker can cause a sending MTA to cache invalid > > MX records for a long TTL. With SMTP STS, the attacker can > > additionally advertise a new, long-"max_age" SMTP STS policy with > > "mx" constraints that validate the malicious MX record, causing > > senders to cache the policy and refuse to deliver messages once the > > victim has resecured the MX records. > > Many DNS resolvers have sensible upper-bounds on record TTLs. It the > attacker can obtain a certificate for the victim domain, they may > indeed inject a long-lived policy, but the TXT record affords the > victim the opportunity of recovery. This paragraph needs work. > > Finally, some discussion is appropriate of the fact that given weaker > downgrade-resistance of STS viz. DANE, implementations that support > both should apply DANE first and STS only in its absence. Indeed with > the MX RRset validated via DNSSEC the "mx" policy element is not really > needed to prevent MX record forgery, however that depends on the outcome > of the "mx" vs. "san" discussion. > > There should probably be a recommendation that sending systems implement > DANE in addition to STS. It is much easier to use a validating resolver > than to sign one's own domain, and so the barrier to option of outbound > DANE is significantly lower. I'll have some additional implementation > news to report shortly... > > > 10.1. Example 1 > > > > The owner of "example.com" wishes to begin using STS with a policy > > that will solicit reports from receivers without affecting how the > > messages are processed, in order to verify the identity of MXs that > > handle mail for "example.com", confirm that TLS is correctly used, > > and ensure that certificates presented by the recipient MX validate. > > > > STS policy indicator TXT RR: > > > > mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" > > > > STS Policy JSON served as the response body at [1] > > > > { > > "version": "STSv1", > > "mode": "report", > > "mx": ["mx1.example.com", "mx2.example.com"], > > "max_age": 123456 > > } > > Note, the "max_age" here is barely over a day, which is not consistent with > the recommended policy lifetimes. Even "report" policies should probably > have better downgrade protection through longer lifetimes (say a week or > more). > > > 11. Appendix 2: Message delivery pseudocode > > > > Below is pseudocode demonstrating the logic of a complaint sending > > MTA. This implements the "two-pass" approach, first attempting > > delivery with a newly fetched policy (if present) before falling back > > to a cached policy (if present). > > Should that be "complaint" or "compliant"? :-) I would expect that > sane implementations will use cached policies first, and only both > refreshes based on TXT record changes or refresh timers, with updates > in the background. Synchronous updates of policy at message delivery > time are exceedingly unappealing at least to me. > > > func certMatches(connection, mx) { > > // Return if the server certificate from "connection" matches the "mx" > host. > > This could use a detailed discussion of what "matches" means, or a > back-reference to a section that does. Covering wildcard use in > either or both of the reference and presented identifiers, and > possible additional text if "mx" becomes "san". > > > func getMxsForPolicy(domain, policy) { > > // Sort the MXs by priority, filtering out those which are invalid > according > > // to "policy". > > } > > [ "mx" vs. "san" ] > > > func tryGetNewPolicy(domain) { > > // Check for an MTA STS TXT record for "domain" in DNS, and return the > > // indicated policy (or a local cache of the unvalidated policy). > > } > > The DNS lookup may succeed, and the HTTPS lookup may tempfail, what > happens in that case? What happens with an authenticated 404 HTTPS > response? Let's avoid "unvalidated" here, or else avoid its use > in the context of "peer authentication". > > > func cachePolicy(domain, policy) { > > // Store "policy" as the cached policy for "domain". > > } > > Along with the policy one should generally store the time > at which it was last retrieved, and the time of any unsuccessful > refresh attempts since then. This supports both eventual > expiration, and proactive refresh, with multiple retries, as > the policy approaches expiration. > > > func tryMxAccordingTo(message, mx, policy) { > > connection := connect(mx) > > if !connection { > > return false // Can't connect to the MX so it's not an STS error. > > } > > status := !(tryStartTls(mx, &connection) && certMatches(connection, > mx)) > > status = true > > What's happening with "status" here? I think the first assignment goes... > > > if !tryStartTls(mx, &connection) { > > status = false > > reportError(E_NO_VALID_TLS) > > } else if certMatches(connection, mx) { > > Missing negation? > > > status = false > > reportError(E_CERT_MISMATCH) > > } > > if status || !isEnforce(policy) { > > return tryDeliverMail(connection, message) > > There are potential complications when an MX host > accepts a proper subset of the envelope recipients > and tempfails the rest, or fails for reasons unrelated > to policy, ... So a simple boolean here is not enough. > Delivery to backup MX hosts continues so long as > recipients that are neither delivered nor permanently > rejected remain. STS policy failure is just one way > that (all the) recipients may remain unresolved. > > > } > > return false > > } > > > > func tryWithPolicy(message, domain, policy) { > > mxes := getMxesForPolicy(domain, policy) > > if mxs is empty { > > reportError(E_NO_VALID_MXES) > > } > > for mx in mxes { > > if tryMxAccordingTo(message, mx, policy) { > > return true > > } > > } > > return false > > } > > > > func handleMessage(message) { > > domain := ... // domain part after '@' from recipient > > oldPolicy := tryGetCachedPolicy(domain) > > newPolicy := tryGetNewPolicy(domain) > > In practice, the cached policie's DNS id will be compared with > the current DNS value and if identical, no new policy will be > fetched. If different, a new policy should be fetched, but > perhaps in the backround, with delivery continuing per the > cached policy. > > > if newPolicy { > > cachePolicy(domain, newPolicy) > > oldPolicy = newPolicy > > } > > if oldPolicy { > > return tryWithPolicy(message, oldPolicy) > > } > > // There is no policy or there's a new policy that did not work. > > // Try to deliver the message normally (i.e. without STS). > > } > > -- > Viktor. > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Jeremy Harris
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review David Illsley
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Alberto Bertogli
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Alberto Bertogli
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis