Re: [Uta] Last call: <draft-ietf-uta-smtp-require-tls-03> "SMTP Require TLS Option"
Jim Fenton <fenton@bluepopcorn.net> Mon, 27 August 2018 17:58 UTC
Return-Path: <fenton@bluepopcorn.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 410D3128B14 for <uta@ietfa.amsl.com>; Mon, 27 Aug 2018 10:58:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ud6Gxzs_tWKb for <uta@ietfa.amsl.com>; Mon, 27 Aug 2018 10:58:29 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9496712785F for <uta@ietf.org>; Mon, 27 Aug 2018 10:58:29 -0700 (PDT)
Received: from steel.local (sfosf0017s350801.wiline.com [64.71.6.2] (may be forged)) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id w7RHwRuY018721 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <uta@ietf.org>; Mon, 27 Aug 2018 10:58:28 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1535392708; bh=BUYPExbgP5yw0nQmXJURije9BFXNUfyLV4VfTv0Q2g4=; h=Subject:To:References:From:Date:In-Reply-To; b=NkjH2u6d5scohzD/3c8G1tljDdrgCbCOUrwhVHTw7CRqikidp9R82GcyCBDL9HvXH Jlz3DKV5LAKKfxAy60LWn+p03KBQSNXQiSFFO2wYhhRngcGY4S4YnuJdDa8r+yL3ss TagIZ35fLyRBPnkCaXyfY3t/1HUCmegfqQ3/5iaw=
To: uta@ietf.org
References: <04ba01d41ebf$c9436110$5bca2330$@gmail.com> <792C74AF-EDAA-4316-B3FC-4075BC3F8EB3@dukhovni.org>
From: Jim Fenton <fenton@bluepopcorn.net>
Message-ID: <661a0fca-fef8-b1b3-0f23-2f9c68c357a8@bluepopcorn.net>
Date: Mon, 27 Aug 2018 10:58:19 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <792C74AF-EDAA-4316-B3FC-4075BC3F8EB3@dukhovni.org>
Content-Type: multipart/alternative; boundary="------------F7298E4611EFAAADE1A224A8"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/4jqmEiiOTbPAUJ4siTVXfaakHSA>
Subject: Re: [Uta] Last call: <draft-ietf-uta-smtp-require-tls-03> "SMTP Require TLS Option"
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 17:58:31 -0000
On 8/23/18 6:49 PM, Viktor Dukhovni wrote: > >> On Jul 18, 2018, at 1:50 PM, Valery Smyslov <smyslov.ietf@gmail.com> wrote: >> >> draft-ietf-uta-smtp-require-tls-03 > In https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03#section-4.2.1 > bullet 3, the reference to DANE authentication is to RFC6698, but DANE for SMTP > is defined in RFC7672. The RFC6125 reference as an alternative may not be a > sufficient alternative to DANE, since absent one of DANE or MTA-STS (and in the > absence of DNSSEC validation of the MX lookup) the protocol is vulnerable to DNS > forgery of the MX hostname. It looks like RFC7672 is the more appropriate reference to cite, so thanks for that correction. I don't understand what MTA-STS has to do with this, though; isn't it only DNSSEC validation of the MX lookup that matters as far as forgery of the MX hostname is concerned? > > The same issue re non-DANE authentication is also in Section 2: > > o The certificate presented by the SMTP server MUST either verify > successfully in a trust chain leading to a certificate trusted by > the SMTP client or it MUST verify succesfully using DANE as > specified in RFC 7672 [RFC7672]. For trust chains, the choice of > trusted (root) certificates is at the discretion of the SMTP > client. It looks like I got the correct reference there. > > In this document MTA-STS seems to only be mentioned as policy source to > ignore with "RequireTLS: NO", but not as the alternative authentication > mechanism when DANE is not available. DANE is mentioned as one of the policy mechanisms in the introduction (paragraph 2), but the text in Section 3 only says "policy-based mechanisms", and I agree that it would be clearer to enumerate them. Of course, underlying DNSSEC failures in the MX lookup will be difficult to ignore, since verifying resolvers will just return a SERVERR rather than the address of the MX record. I'm not aware of any API hooks that force the resolver to ignore this. Is there any? > > This is recognized in the Security Considerations: > > Another active attack involves the spoofing of DNS MX records of the > recipient domain. An attacker having this capability could cause the > message to be redirected to a mail server under the attacker's own > control, which would presumably have a valid certificate. REQUIRETLS > does not address this attack. > > Might it not make sense to close this hole and require one of MTA-STS > or DANE? This delays the practical deployment of REQUIRETLS (yes) to > such time as at least of one MTA-STS or DANE is generally present, but > I think this is better than leaving the above security gap unaddressed. > An important class of attacks involves only interference with STARTTLS negotiation [1]; there is a wide variety of off-the-shelf commercial products that provide this capability. It would be beneficial to provide protection against these attacks even if REQUIRETLS doesn't protect against DNS spoofing, and I am concerned that requiring DNSSEC (by both the MX record's zone and the resolver the client uses to retrieve it) would delay this benefit for an unacceptably long time. Of course, I think that the better approach is to provide a REQUIRETLS option to allow the client to require DNSSEC where it is expected to work, but the WG has asked me to remove that. -Jim [1] Durumeric, Zakir, J. Alex Halderman, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, and Michael Bailey. “Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security,” 27–39. ACM Press, 2015. https://doi.org/10.1145/2815675.2815695.
- [Uta] Last call: <draft-ietf-uta-smtp-require-tls… Valery Smyslov
- Re: [Uta] Last call: <draft-ietf-uta-smtp-require… Valery Smyslov
- Re: [Uta] Last call: <draft-ietf-uta-smtp-require… Jim Fenton
- Re: [Uta] Last call: <draft-ietf-uta-smtp-require… Jeremy Harris
- Re: [Uta] Last call: <draft-ietf-uta-smtp-require… Valery Smyslov
- Re: [Uta] Last call: <draft-ietf-uta-smtp-require… Valery Smyslov
- Re: [Uta] Last call: <draft-ietf-uta-smtp-require… Viktor Dukhovni
- Re: [Uta] Last call: <draft-ietf-uta-smtp-require… Jim Fenton