Re: [Uta] New proposal: SMTP Strict Transport Security
David Schweikert <david@schweikert.ch> Fri, 08 April 2016 15:16 UTC
Return-Path: <david@schweikert.ch>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26BF312D958 for <uta@ietfa.amsl.com>; Fri, 8 Apr 2016 08:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Level:
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=schweikert.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wxm3v5HhBFI for <uta@ietfa.amsl.com>; Fri, 8 Apr 2016 08:16:10 -0700 (PDT)
Received: from mail.schweikert.ch (gore.schweikert.ch [176.9.38.243]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5EB412D91C for <uta@ietf.org>; Fri, 8 Apr 2016 08:16:03 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.schweikert.ch (Postfix) with ESMTP id B0C8D602BF for <uta@ietf.org>; Fri, 8 Apr 2016 17:16:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=schweikert.ch; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mail; t=1460128560; bh=XyAgj8rnukS+5DC7LB13/BFhe48NKQRSaqDJrJm5hQA=; b=EPCkd7WBAaM8 MOaO1u+ISttP+A9fuOjsCwdNgNrClfr8G75yXpZaF+eImZ34vMDQItlPjybcXDuO mMCo9S1CHuWgH4Uoc+5SqtayWzIdzBbK1ipIT0k/CVx2tqHryzQht9Sd4ymbrwAf NHzuPkMz8gzJMh0XGUEXug3EvGPcsuERQgXPxJqee4eDeJZw8IFt8mE6KPH0trUb 8L6S9/wb4umA6UhC1l2XP4f/PXg6/VGE1tKXMwUI3F6vyv1lY0QZ5nBzeuOBYLJb vqa0aOxnVh+SQ08CxbXZhm4riGVwIKluB0Fk6HpMGGbx4kZJYUGOYKG3tLlxNBbT NfvTX/Nehg==
X-Virus-Scanned: Debian amavisd-new at mail.schweikert.ch
Received: from mail.schweikert.ch ([127.0.0.1]) by localhost (mail.schweikert.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oWZGiTgkMYRY for <uta@ietf.org>; Fri, 8 Apr 2016 17:16:00 +0200 (CEST)
Received: by mail.schweikert.ch (Postfix, from userid 1000) id 93CF5636DE; Fri, 8 Apr 2016 17:16:00 +0200 (CEST)
Date: Fri, 08 Apr 2016 17:16:00 +0200
From: David Schweikert <david@schweikert.ch>
To: uta@ietf.org
Message-ID: <20160408151600.GB13343@schweikert.ch>
References: <20160405002118.6f7bb0b274@8da9a8ad15f2049> <1570673069.2008767.1459813453573.JavaMail.yahoo@mail.yahoo.com> <835BFD7B-B8F1-43CD-8E6B-AC474E9A1741@azet.org> <CANtKdUewMQ5jVAUOaWfuUquFdDB_dh_jNEfAo7T=qruqzszGqw@mail.gmail.com> <1A3DB748-26E6-404D-84F5-962B3AA21AB4@azet.org> <CANtKdUf9MujQxZQMz8xbPi+EVOYXLWgR342x1-S8u12PPm-TAA@mail.gmail.com> <20160406224039.GH26423@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160406224039.GH26423@mournblade.imrryr.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/NplteqpwvS9Uaw9I1LiYhVrLsDg>
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 15:16:24 -0000
Hi Viktor, On Wed, Apr 06, 2016 at 22:40:40 +0000, Viktor Dukhovni wrote: > * Is it enough for delivery via just the first MX tried to succeed? > Or does the initial delivery need to confirm more than one MX host? > > * Is delivery to a second MX host after failing the first a "success"? > > * How about a site only some of whose MX hosts match the STS policy constraints? What about considering STS to be a mechanism that verifies something that should always be true, and just generating a permanent failure if you encounter something that doesn't match that policy? Like a sort of "assertion check" on what you see following the normal processing path. > As STS evolves the requirements may change, but we'd want to nail > down the delivery-agent to STS-agent protocol, so that STS-agents > can be add-ons that evolve largely separately from Postfix, without > requiring new C-code in new Postfix releases to stay current with > the protocol. You could design a protocol that is very similar to the postfix access policy delegation protocol: - Postfix SMTP connects to the chosen next hop and does the handshake - It gives via policy protocol all information that it has about the connection (hostname, IP, TLS information, etc.) - In case something is bad, the policy demon can return "REJECT" with a reason (and initiate reporting by registering the failure in some database). > It may also be helpful to explain that the "domain" for which the > STS client is doing policy lookup is not necessarily the domain > part of the recipient address(es) in the message envelope. While > these are typically the same, in some cases the nexthop domain may > be a "smarthost" relay or a manually configured nexthop for a set > of designated recipient domains. I don't understand this: why would the STS client do a policy lookup not on the recipient address? I understand that you can have a different nexthop specified in your transport map, but why look that up instead of the recipient address domain? > Another one of the things that DANE "gets right", is that TLSA > records are service-endpoint-specific. MTAs may at times be > configured to relay some or all mail via nexthop:port with a port > other than 25. > > The certificate on port 587 (or whatever) may be different than > the one on port 25 and the desired TLS policies may be different > for the different (by port) SMTP services. Maybe you should be able to disable the STS check in those cases where you do some local override? > To avoid deliver pipeline stalls we'd expect the out-of-process > STS delivery agent to reply immediately with no policy when it does > not already have at least an embryonic unvalidated policy cached, > and to schedule a policy fetch in the background. The policy would > only be used and validated on the first delivery *after* it was > already cached locally (as an unvalidated policy). Yes, that's really a problem in the policy-delegation idea. I guess you could return a "DEFER" and thus force the mail to be back in the queue, waiting for the fetching of a current policy to finish? But then you have the problem that postfix is going to retry with another hop... Cheers David
- [Uta] New proposal: SMTP Strict Transport Security Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Neil Cook
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- [Uta] SMTP Strict Transport Security - reporting Alexey Melnikov
- Re: [Uta] SMTP Strict Transport Security - report… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] SMTP Strict Transport Security - report… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Binu Ramakrishnan
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… ned+uta
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner