IETF Logo Mail Archive

Re: [Uta] SMTP TLS reporting (RFC 8460), policy domains and DANE

Mechiel Lukkien <mechiel@ueber.net> Mon, 20 November 2023 11:21 UTC

Return-Path: <mechiel@ueber.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62A9FC151524 for <uta@ietfa.amsl.com>; Mon, 20 Nov 2023 03:21:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=ueber.net header.b="6OLI8Qu1"; dkim=pass (2048-bit key) header.d=ueber.net header.b="Mp+jnUZM"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgtuQWP0EPIP for <uta@ietfa.amsl.com>; Mon, 20 Nov 2023 03:21:00 -0800 (PST)
Received: from mail.axillis.nl (mail.axillis.nl [IPv6:2a02:2770:12:0:21a:4aff:fee0:fa47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D938C15109F for <uta@ietf.org>; Mon, 20 Nov 2023 03:20:58 -0800 (PST)
Received: from mail.axillis.nl by mail.axillis.nl id Qz_2UBsWn5khBIN6bAQq4w for <uta@ietf.org>; 20 Nov 2023 12:20:56 +0100
DKIM-Signature: v=1; d=ueber.net; s=2023a; i=mechiel@ueber.net; a=ed25519-sha256; t=1700479256; h=From:To:Cc:Bcc:Reply-To:References: In-Reply-To:Subject:Date:Message-Id:Content-Type:From:To:References: In-Reply-To:Subject:Date:Message-Id:Content-Type; bh=ZR6BX1Mw9b9y2fAQ9OJHFpnNvc1DI5enzO4OV/GwEoQ=; b=6OLI8Qu1OY73Uj+SC/8M9I9pIJ oKExScSeKL/CVs8QfFMwOsew9sTGIQCpepNqrIo12cfyNYAy7CeieWPShhCA==
DKIM-Signature: v=1; d=ueber.net; s=2023b; i=mechiel@ueber.net; a=rsa-sha256; t=1700479256; h=From:To:Cc:Bcc:Reply-To:References:In-Reply-To:Subject:Date: Message-Id:Content-Type:From:To:References:In-Reply-To:Subject:Date: Message-Id:Content-Type; bh=ZR6BX1Mw9b9y2fAQ9OJHFpnNvc1DI5enzO4OV/GwEoQ=; b=M p+jnUZMWpcX+eqs4DwllpNBNB69iw156f8MN3zkPIrJaZNUgGuMZDA519qS+w9yHf6aNJlwM8EOxr exHT3SvCza6wbjWzEwcDWkRYjhvmQ85IY5I7TPuZD4S5zt3cBYzCWLfnuzm+PqenllPz1W585uUZt L7iajUWSi1MYE12DnZMzJulMZr5Szx3Je4Dt/S9BULfyIx4K8jwFakUh+t3W3/bfiq4LNuBHRvm0q g3g5/YjXyuvy4lHbTbnR3ycu50dNetKqn+Q2MiaY672o25tYBEkPIBkRXiSwE8KfXV1rOYxTr4Fd4 d36yQbtyDOQRn1J9uY42KohPEce0wF/4w==
From: Mechiel Lukkien <mechiel@ueber.net>
To: uta@ietf.org
Message-Id: <Wxz-pY4CkQyP_dpMAZWzkQ@mail.axillis.nl>
Date: Mon, 20 Nov 2023 12:20:56 +0100
In-Reply-To: <ZVfSj0aDuoHriayc@straasha.imrryr.org>
References: <MN2PR11MB4351F7BF452EF3C45C02196AF7B0A@MN2PR11MB4351.namprd11.prod.outlook.com> <f4uAUqwma6dZnvvieVptWA@mail.axillis.nl> <ZVZ1HjiF8pFJy9YN@straasha.imrryr.org> <z0g6Pmhf9JT0UaJaKNwQFg@mail.axillis.nl> <ZVfSj0aDuoHriayc@straasha.imrryr.org>
User-Agent: moxwebmail/51e314f65a94f01f5f4e620455b4a2202e578147+modifications
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/FBJRLceveEXemdZl7ROULzJK_9A>
Subject: Re: [Uta] SMTP TLS reporting (RFC 8460), policy domains and DANE
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2023 11:21:07 -0000

> Since DANE policy is managed by the email provider, and not the hosted
> domain, one should expect to find any TLSRPT endpoints listed for
> the MX hostname(s), with the MX operator being the primary responsible
> party for monitoring for an resolving any issues.
> 
> If the (MX) hosted customer domain operator is also interested in
> receiving TLSRPT messages, they could I guess also publish a suitable
> TXT record, and you might then notify either or both the customer
> and the service provided, deduplicating reporting endpoints, since
> some self-hosted sites may list the same endpoints for both.

That sounds reasonable, thanks. I've implemented deduplication of reports based on reporting addresses now. If the reporting addresses in the TLSRPT record for rcptdom and mxhost are the same, only one report is sent (unless they would contains TLS results for other domains as well).


> Go with the spirit, rather than the letter of the RFC.  The goal is to
> provide information to operators about observed failures, where
> "operators" means primarily those in a position to respond to any issue.

Ideally the intention, spirit and letter all match. (: I've kept my approach, but am expecting most implementations to interpret TLSRPT for rcptdom-only. At least until they start implementing DANE...


> I would prefer to not receive success report noise.  IIRC the TLSRPT
> DNS record does not have a field to indicate that success reports are
> not desired.  Software implementing TLSRPT should IMHO default to not
> sending success reports, and have that be a feature that the (sending)
> MTA operator has to turn on explicitly.
> 
> Ideally, it should also allow receiving domains to ask to opt-out of
> success reports, and so the software should also support exclusion
> lists for this case.

I don't mind success reports at the moment, though if everyone would start sending them it indeed could quickly become too much. Mostly because things will go wrong more often, like incoming reports that aren't properly authenticated, and outgoing reports that result in a DSN message. A tlsrpt record option to only send some success-only reports could help. But I think I recently read DMARCs pct= option wasn't too successful (by not being implemented correctly)... I've now made success-only reports optional, defaulting to sending reports only when there is a failure.


> Do the *right* thing, regardless of what Alex, I, or the RFC might say,
> defaulting to following the RFC when it is close-enough to the right
> thing, but RFCs are not always clear and not always in hindsight
> correct, so deviations or elaborations are sometimes necessary.
> 
> There is no RFC police.

Makes sense. As an implementer it would help to learn about situations like this. I typically only look at RFC's and errata, and some articles on the web. If there's a good place to publish notes for implementers (that will be found by implementers) and that doesn't (ab)use the errata reporting, I'm interested in that. 


> > > The set of defined error conditions is not necessarily exhaustive,
> > > if, while implementing, you think of compelling additions, propose
> > > additional entires for the IANA registry.
> > 
> > What would the procedure be? A new RFC? I'm assuming I cannot just
> > submit new values...
> 
> Some IANA registries are subject to expert review, and don't require
> "standards action".  You when need just an informational RFC through the
> ISE, so that others can find a stable reference for the code point.
> 
> Check the registry policy.  Of course if you want the new code point
> to see wide use, a short standards-action RFC through the UTA or
> other suitable WG may be best.

Thanks, will put this on a todo-list. Won't get to it soon.

Cheers,
Mechiel

v2.23.0 | Report a Bug | By Email