Re: [Uta] Smallest practical MTA-STS maximum policy age?
Daniel Margolis <dmargolis@google.com> Mon, 25 May 2020 07:39 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF163A0CCD for <uta@ietfa.amsl.com>; Mon, 25 May 2020 00:39:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wD5V8IAHWZIe for <uta@ietfa.amsl.com>; Mon, 25 May 2020 00:39:45 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28F4C3A0CD2 for <uta@ietf.org>; Mon, 25 May 2020 00:39:45 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id c3so11898367wru.12 for <uta@ietf.org>; Mon, 25 May 2020 00:39:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3AFpgNwuX9BnyvMc7Mq3lY3gY77H71KIkSvLzbgl7gs=; b=Z30EDe/ZO3+5asu8O3wqfNLQemv48+kxVOzuA3cX456on1P4etzI2rCbnNqeDmh03e TK/iy7H6SDtQebNkYuMlAwW3Ng4VsdHSxvtGyEeqYkfnPHNZ4oz4li4Om1BRdnI4aYVZ LvTrVlF/ssVYnQjN4/tdIC0O3lbsWig1SBFbKhqQR2nPd60hBmekI3p2k6lQQ4Gn8Wqb rrHVBTv36tEkNGdI+24kAp3gwKu7QrCAu1W04loCtTRJKB48OyoZ3bHgZQfK7s4gXQgT xthbWcJzLcABGuD9EvblN1UyJN+nZarHWkwnT3Y8v9KqVUA6mQixJk90r++zKMcMjylb LK6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3AFpgNwuX9BnyvMc7Mq3lY3gY77H71KIkSvLzbgl7gs=; b=RfIEag0uiLgczONExhJmP+kMUnaBXVgmflQ2MO3XVmek7sAgTCaaV7/tTHulam/8Gl AMVLbqxsVRy4EnZUAKRXOVLnNgTaNuhaT5mYb0ZuUVotLJe42ApnqgI+6fr9FlraAZTd RWoYkxDdtxqPgTPXkh0MY/WPJPaVmassNunGnQ5jKxkfVjucO/UVWEu1shSi3NNHuvW0 eGtEyeuQ8dbTJXbpmwai9prRageL3TIdw/CxJSkH+zRsfazq7TE/69wZDhSlqOXZ/++H /1ONqhAuElXboQGIOrc2zPFsu+dZJ77CBM9z/nGymfjTp/TlCediMymCVzVJg5fU9lqa mRHQ==
X-Gm-Message-State: AOAM531vOwEdrujWKhxHcl8/IYzdY93WFulHnxMh5rpsodrb9+sUeTm6 QN/kxGsIxB/91/hyjhVjvukJoJMl2wKqZm4U2ERVQw==
X-Google-Smtp-Source: ABdhPJx76VuxtZl/XCK71pfcp7fhE/6kMjB+4/8z/Sy4xJGw0D5tZzJK/HScEhGLf3wm4EewnLG2vdF4y9LJzq+CKl0=
X-Received: by 2002:a5d:468d:: with SMTP id u13mr491208wrq.73.1590392382634; Mon, 25 May 2020 00:39:42 -0700 (PDT)
MIME-Version: 1.0
References: <CANHgQ8H0dnNQCzrP0rXxZhLh+D52vsqiRyOk8pu9fFifZwBWTw@mail.gmail.com> <20200524161851.47C0C199403D@ary.qy>
In-Reply-To: <20200524161851.47C0C199403D@ary.qy>
From: Daniel Margolis <dmargolis@google.com>
Date: Mon, 25 May 2020 09:39:29 +0200
Message-ID: <CANtKdUfmHrkrmyaPotjsK0fAuvq7WjQ7x50aOTtH4ZAbzCzz4A@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: uta@ietf.org, Ivan Ristic <ivan.ristic@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000000c70c005a67415c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/9Uzi6Ytk4lrNJi6-G_mbDQTAUts>
Subject: Re: [Uta] Smallest practical MTA-STS maximum policy age?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2020 07:39:48 -0000
Gmail's max_age is (as you can see) 1 day ( https://mta-sts.gmail.com/.well-known/mta-sts.txt). (Looking at other big mail providers, Comcast is at 30d, Outlook at 7d, mail.de at 28d, and Yahoo at 1d--so I feel like we could raise Gmail's!) It would be reasonable for an MTA to ignore a policy that had a timeout of, like, 1 second, since for many lower-volume senders policy refreshes might thus constitute a meaningful increase in traffic. So don't do that. ;) On Sun, May 24, 2020 at 6:19 PM John Levine <johnl@taugh.com> wrote: > In article < > CANHgQ8H0dnNQCzrP0rXxZhLh+D52vsqiRyOk8pu9fFifZwBWTw@mail.gmail.com> you > write: > >> Thus, my take is that MTA-STS policies with a max_age less than ~30 days > >> are potentially ineffective, and perhaps not worth the bother. > > > >Sure, for production use. > > > >The issue I am seeing is this: New users are experimenting with MTA-STS > and > >wish to use a small policy duration until they're confident in their > >configuration. They use values in hours and don't get any reports. > > > >Perhaps there's a case for specifying a minimum acceptable policy duration > >in RFC errata or something? > > I publish 86400 max_age and get lots of reports, mostly from Google > and Comcast. If they're testing they should be using testing mode, > and the age doesn't matter so much. > > version: STSv1 > mode: testing > mx: <whatever> > max_age: 86400 > > My setup is a little odd because my mail servers have a different name > for each domain pointed at them so I'm also testing whether clients > provide SNI to ask for the right certificate and my servers correctly > provide it. As far as I can tell they all do. It's not a perfect test > because all of the certs for each server have the same key and so the > same TLSA which (I think, Viktor?) would work even if it provided the > wrong certificate. > > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > -- How's my emailing? http://go/dan-email-slo
- [Uta] Smallest practical MTA-STS maximum policy a… Ivan Ristic
- Re: [Uta] Smallest practical MTA-STS maximum poli… A. Schulze
- Re: [Uta] Smallest practical MTA-STS maximum poli… Viktor Dukhovni
- Re: [Uta] Smallest practical MTA-STS maximum poli… Ivan Ristic
- Re: [Uta] Smallest practical MTA-STS maximum poli… John Levine
- Re: [Uta] Smallest practical MTA-STS maximum poli… Daniel Margolis