Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS Proposal
Viruthagiri Thirumavalavan <giri@dombox.org> Mon, 07 January 2019 12:24 UTC
Return-Path: <giri@dombox.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2D6130E97 for <uta@ietfa.amsl.com>; Mon, 7 Jan 2019 04:24:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dombox.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZ3f9JnGrD61 for <uta@ietfa.amsl.com>; Mon, 7 Jan 2019 04:24:16 -0800 (PST)
Received: from mail-yw1-xc29.google.com (mail-yw1-xc29.google.com [IPv6:2607:f8b0:4864:20::c29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE9DF130E0A for <uta@ietf.org>; Mon, 7 Jan 2019 04:24:15 -0800 (PST)
Received: by mail-yw1-xc29.google.com with SMTP id t13so43684ywe.13 for <uta@ietf.org>; Mon, 07 Jan 2019 04:24:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dombox.org; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=0S+JiIVkj89cJRLdTtYVkPGaEgUL5baj3AuNRN/rroo=; b=hpVk50cK4xT1No+FH8gOlIA8AfVTGTsBZONcxEXuE6dZPRcLIAPTmdYmOBtU70H2ke z6MG0WbURgGytLQY/iK6DAFCddg8gSHTtKhTYtI6PXGNpPWivc2iZzvHm0k45Xxfzp3z MZTWJhYPChpvNuYcmz3N1VY6C78jE1INX2f1NpS5wKvQCreqSM2rvl2TV3qH301570t1 W0uh2B0BjM8o2T+80TBB5n8LBNEl8xcBdjFT1Zxg1U/ihCJ+qtyGIwMDUEn49FzYexTK JtXYzADbZrbkQm/lQprHQAp6wIk6YcaPOYWrhygRp57Lj52oRymL8CHaAHhUMnratul/ ocow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=0S+JiIVkj89cJRLdTtYVkPGaEgUL5baj3AuNRN/rroo=; b=cGYTiqUFvlwQfuEsAmgzxEFx89h1HYmEAUJzViyo0xAPigGNMlEzawz87Ld7YAYNA6 4ycpDj5uYJ7VW0Qbb1axnI/4mnWQopQ4WChPlVumcU+O9M6oRsEkEd6awg0+ADoZK0JF m0ASfnElvLQmNYRpoyEqlNWRSdBTGiZihNwNYBehXX0sfXGod+CnthI2I8762ZnRHWhv dvIYoccTyvHCJCobwM4v587WIQJ2/K0hXFJCK9gA7WjIni6xJDG1/6WmBl7J5gZuc4ij LGBFWoyZUMzmaveUk0NV3mGSZhThznnluS4VdhBTJqzPb4BwZ4Xf7xn0j0C9J7JjFVBN Rg1Q==
X-Gm-Message-State: AA+aEWY54SmhzjfEfihQxbUtMHHbRpA7LpEhnt3T2zcePY2ZqAr9yGI0 1A2AhC/L4I7/XnYEUn8VLqgUeh6FY/ScTLCrP6TPyuIy8wY=
X-Google-Smtp-Source: AFSGD/Vd1wUAXXq6iZDgt4Yfim7/KUOLI47mRoUSkH7RMpnJcKG7lidZ5sT5YwKR3vhSmDNWkhBc/mrAakL/IEL5Bec=
X-Received: by 2002:a81:a054:: with SMTP id x81mr61706564ywg.293.1546863854544; Mon, 07 Jan 2019 04:24:14 -0800 (PST)
MIME-Version: 1.0
References: <CAOEezJTyEf+Sn9ZqQPue1DFUSoFO211YogJ6ufYJxswWzXk=_A@mail.gmail.com> <20190106010828.CC431200C5ED52@ary.qy> <CAOEezJShOYkmy8-E+8zG=CPXxrWNcxf8q8W8MnW-v1RT0FzEWw@mail.gmail.com> <123cecc0-aba2-9530-c0d9-b6437f295140@domblogger.net> <88fad90d-24b6-fe4d-5df8-bc294c4f6b33@bluepopcorn.net> <CAOEezJS+T3pP-GqwJFeT=HGbOu1TkY6W0kyjP9_FcVsaJ=hw7A@mail.gmail.com> <b4fe2502-dc1e-5dea-8515-b69ed262ac8f@domblogger.net> <CAOEezJTFxhRYGKQD0a8LLEL7UTPKmfdF5uYLDpZdj3Zm9P+wZw@mail.gmail.com> <35456e82-c149-864f-3312-cff55af68551@domblogger.net>
In-Reply-To: <35456e82-c149-864f-3312-cff55af68551@domblogger.net>
From: Viruthagiri Thirumavalavan <giri@dombox.org>
Date: Mon, 07 Jan 2019 17:53:59 +0530
Message-ID: <CAOEezJTTp-VDvChuTcG5yD4yAVe9M0eKZnN11tKXV79O53ai5w@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009100bc057edd4e76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/44uWQy6NZn9Mvc8mawFxr14801I>
Subject: Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS Proposal
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 12:24:20 -0000
@Vittorio Bertola I'm trying to help the IETF community in the way I can. Of course I'm gonna revise my work and ask for feedback. That's what this mailing list is for right? If the mailing list terms says that I should not ask feedback upon improving my work, then yes what I'm doing is wrong. You didn't put any effort to help me, yet you think you have the right to attack me on a public forum? Do you really think I'm spending my time here for my personal gain? It seems like your intention here is to attack me based on my few months old post. You also seem quite confident that I lied there without even going through my paper. If you had completed my paper, then you wouldn't be so cocky here. Ok you won. I'm gonna leave this mailing list because you feel annoyed here because of me. My only question here is, how confident are you that my spam solution never gonna work? e.g. I would give you a million dollar if it works, I would kill myself if it works etc. You also seem like a honourable man. So I believe you would honour your words if my spam solution really work. Before you give your word, you should know this is what investors think about my work. https://www.dropbox.com/s/599s5iz25h1d680/Screenshot%202019-01-07%2017.12.11.png?dl=0 And that's coming from an engineer turned investor who have experience in mail servers. So I'm not trying to rip off innocent investors. That investor turned me down because my solution requires bigger bets. So yeah just because I don't have a billion dollar company in few months doesn't mean my solution failed. It means I'm still trying to find an investor who is ready to go through my 300 pages research paper. You might have had some respect for me and my work, if you really had gone through the presentation I posted on that day. I really hate guys like you. Because guys like you act like "know-it-all" and the guys like me are the victims. @Alice Wonder You are really a nice person and it's really an honour to have discussion with people like you. I was actually working on my product. When you are working with SMTP, you definitely know the SMTP problems. I noticed the STARTTLS downgrade issue not addressed properly. And I felt both STS and DANE are overkill for an average user. So I signed up to this mailing list and posted my proposal. I have other proposals too for SMTP. But I don't think guys like Vittorio gonna appreciate my work until I gain some public reputation. To their eyes I'm a overconfident idiot. So I'll leave this mailing list for now. But I love to have a discussion with people like you. So I'll collaborate with you someday. @Everyone Thanks for helping me. It means a lot. Good luck On Mon, Jan 7, 2019 at 4:20 PM Alice Wonder <alice@domblogger.net> wrote: > On 1/7/19 2:09 AM, Viruthagiri Thirumavalavan wrote: > > Alice thanks for the insight. > > > > Rather than use a hostname to specify SMTPS only, how about a DNS TXT > > record to indicate SMTPS only? > > > > > > Third party mail hosting services usually provide services for millions > > of domains. You are asking those millions of people to go for 1 more > > step. I'm asking that step should be embedded in the mx hostname. Users > > should do the steps as they did before, but now the mx records contains > > smtps prefix. > > > > They already will query for the existence of the MTA-STS record, and > likely have unbound or similar caching resolver running on the localhost > or at least at same hosting facility that caches the response to the query. > > Why not just require STARTTLS if the TXT record for > _mta-sts.example.org. exists? They check for that anyway. > > > And if that DNS TXT record exists, rather than waste a < 1024 port > > number, just have the MTA client use Port 25 with STARTTLS required. > > Then it is just like MTA-STS except w/o the HTTPS component that > > secures > > the MX record. > > But bottom line is to be RFC compliant, an MX host MUST accept on > Port > > 25 without encryption. > > > > > > You are worried about wasting a port. But I'm worried about bringing > > full possible encryption to the SMTP. I have never heard of many of the > > services found in < 1024 ports. You maybe too. So i'm pretty sure IANA > > ok with assigning a new port to SMTPS. > > I do want full possible encryption brought to SMTP. This is why I > encourage DANE for SMTP with MTA-STS as a backup for servers / clients > that do not implement DANE for SMTP. > > The problem is solved. > > > > > My proposal is to being "Implicit TLS" to the SMTP relay. If you don't > > allocate a new port, then people are not going to take the solution > > seriously. And as you mentioned, an MX host MUST accept on port 25 > > without encryption. So you can do all the hack you want like STARTTLS, > > port 25 is never gonna be treated as a fully secure protocol. Via > > STARTTLS we are trying to provide "best effort" security. SMTPS can > > provide "Full effort" security. That's the maximum possible security we > > can provide. Top to bottom everything encrypted. We all moved to HTTPS > > today. It will take many decades to completely move to SMTPS. Maybe 20 > > years. But if we worry about wasting a port today, then it's gonna take > > forever. > > You are missing the point. > > It is up to MTA client to decide whether or not encryption should be > required. You can have your MTA client do that today, right now, without > needing to use a different port. > > What you want is a client that gets its cue to go into that secure only > mode from the MX record, but that is an easily defeated trigger if the > MX record is not secured. > > There are two ways to secure the MX record - DNSSEC and MTA-STS, both of > which then already require STARTTLS without needing a new port assigned. > > There is also the STARTTLS Everywhere project which provides a GPG > signed json file of hosts you should require STARTTLS with. It is fairly > easy to turn that JSON fine into a Postfix policy map, I assume the same > applies to other MTA clients. That is a good temporary solution while > software/admins catch up with implementing DANE and MTA-STS in the MTA > clients and servers. And it does not require a new port. > > Port 26 gives us nothing that a policy map file with domains we know > should require STARTTLS does not also give us. > > How about instead of designating a new port, a "best practices" RFC is > created suggesting that MTA clients require STARTTLS when the the > MTA-STS record exists, whether or not the policy file can be > successfully retrieved by HTTPS? > > That will allow system administrators who are having trouble setting a > web server for the MTA-STS policy file to still advertise they have set > up TLS on their mail server. > > How about this: > > When the MTA-STS DNS record has a serial number of 0 *and* > mta-sts.example.org domain name does not have an A or AAAA record, then > the MTA client SHOULD still require STARTTLS. > > That would allow MTA clients to know they should at a minimum require > STARTTLS with mail sent to that domain, it would not require any DNS > queries beyond what is already required, and it would not require DNSSEC > or a HTTPS web server. > > But MX admins should still do both DANE and MTA-STS whenever possible to > secure the MX record. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > -- Best Regards, Viruthagiri Thirumavalavan Dombox, Inc.
- [Uta] SMTP Over TLS on Port 26 - Implicit TLS Pro… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Jeremy Harris
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viktor Dukhovni
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… John Levine
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… John Levine
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viktor Dukhovni
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… John Levine
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Grant Taylor
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Grant Taylor
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Jim Fenton
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Vittorio Bertola
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Vittorio Bertola
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Vittorio Bertola
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Daniel Margolis
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Viruthagiri Thirumavalavan
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Franck Martin
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Peter Gutmann
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Jim Fenton
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Peter Gutmann
- [Uta] Deprecating "Opportunistic TLS" (not) Viktor Dukhovni
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… John Levine
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… John Levine
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Vittorio Bertola
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… John Levine
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Alice Wonder
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Daniel Kahn Gillmor
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Jeremy Harris
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Vittorio Bertola
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… John R Levine
- Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS… Peter Gutmann