IETF Logo Mail Archive

Re: [Uta] New proposal: SMTP Strict Transport Security

David Schweikert <david@schweikert.ch> Fri, 08 April 2016 15:16 UTC

Return-Path: <david@schweikert.ch>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26BF312D958 for <uta@ietfa.amsl.com>; Fri, 8 Apr 2016 08:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Level:
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=schweikert.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wxm3v5HhBFI for <uta@ietfa.amsl.com>; Fri, 8 Apr 2016 08:16:10 -0700 (PDT)
Received: from mail.schweikert.ch (gore.schweikert.ch [176.9.38.243]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5EB412D91C for <uta@ietf.org>; Fri, 8 Apr 2016 08:16:03 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.schweikert.ch (Postfix) with ESMTP id B0C8D602BF for <uta@ietf.org>; Fri, 8 Apr 2016 17:16:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=schweikert.ch; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mail; t=1460128560; bh=XyAgj8rnukS+5DC7LB13/BFhe48NKQRSaqDJrJm5hQA=; b=EPCkd7WBAaM8 MOaO1u+ISttP+A9fuOjsCwdNgNrClfr8G75yXpZaF+eImZ34vMDQItlPjybcXDuO mMCo9S1CHuWgH4Uoc+5SqtayWzIdzBbK1ipIT0k/CVx2tqHryzQht9Sd4ymbrwAf NHzuPkMz8gzJMh0XGUEXug3EvGPcsuERQgXPxJqee4eDeJZw8IFt8mE6KPH0trUb 8L6S9/wb4umA6UhC1l2XP4f/PXg6/VGE1tKXMwUI3F6vyv1lY0QZ5nBzeuOBYLJb vqa0aOxnVh+SQ08CxbXZhm4riGVwIKluB0Fk6HpMGGbx4kZJYUGOYKG3tLlxNBbT NfvTX/Nehg==
X-Virus-Scanned: Debian amavisd-new at mail.schweikert.ch
Received: from mail.schweikert.ch ([127.0.0.1]) by localhost (mail.schweikert.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oWZGiTgkMYRY for <uta@ietf.org>; Fri, 8 Apr 2016 17:16:00 +0200 (CEST)
Received: by mail.schweikert.ch (Postfix, from userid 1000) id 93CF5636DE; Fri, 8 Apr 2016 17:16:00 +0200 (CEST)
Date: Fri, 08 Apr 2016 17:16:00 +0200
From: David Schweikert <david@schweikert.ch>
To: uta@ietf.org
Message-ID: <20160408151600.GB13343@schweikert.ch>
References: <20160405002118.6f7bb0b274@8da9a8ad15f2049> <1570673069.2008767.1459813453573.JavaMail.yahoo@mail.yahoo.com> <835BFD7B-B8F1-43CD-8E6B-AC474E9A1741@azet.org> <CANtKdUewMQ5jVAUOaWfuUquFdDB_dh_jNEfAo7T=qruqzszGqw@mail.gmail.com> <1A3DB748-26E6-404D-84F5-962B3AA21AB4@azet.org> <CANtKdUf9MujQxZQMz8xbPi+EVOYXLWgR342x1-S8u12PPm-TAA@mail.gmail.com> <20160406224039.GH26423@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160406224039.GH26423@mournblade.imrryr.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/NplteqpwvS9Uaw9I1LiYhVrLsDg>
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 15:16:24 -0000

Hi Viktor,

On Wed, Apr 06, 2016 at 22:40:40 +0000, Viktor Dukhovni wrote:
>  * Is it enough for delivery via just the first MX tried to succeed?
>    Or does the initial delivery need to confirm more than one MX host?
> 
>  * Is delivery to a second MX host after failing the first a "success"?
> 
>  * How about a site only some of whose MX hosts match the STS policy constraints?

What about considering STS to be a mechanism that verifies something
that should always be true, and just generating a permanent failure if
you encounter something that doesn't match that policy? Like a sort of
"assertion check" on what you see following the normal processing path.

> As STS evolves the requirements may change, but we'd want to nail
> down the delivery-agent to STS-agent protocol, so that STS-agents
> can be add-ons that evolve largely separately from Postfix, without
> requiring new C-code in new Postfix releases to stay current with
> the protocol.

You could design a protocol that is very similar to the postfix access
policy delegation protocol:

- Postfix SMTP connects to the chosen next hop and does the handshake
- It gives via policy protocol all information that it has about the
  connection (hostname, IP, TLS information, etc.)
- In case something is bad, the policy demon can return "REJECT" with a
  reason (and initiate reporting by registering the failure in some
  database).

> It may also be helpful to explain that the "domain" for which the
> STS client is doing policy lookup is not necessarily the domain
> part of the recipient address(es) in the message envelope.  While
> these are typically the same, in some cases the nexthop domain may
> be a "smarthost" relay or a manually configured nexthop for a set
> of designated recipient domains.

I don't understand this: why would the STS client do a policy lookup not
on the recipient address? I understand that you can have a different
nexthop specified in your transport map, but why look that up instead of
the recipient address domain?

> Another one of the things that DANE "gets right", is that TLSA
> records are service-endpoint-specific.  MTAs may at times be
> configured to relay some or all mail via nexthop:port with a port
> other than 25.
> 
> The certificate on port 587 (or whatever) may be different than
> the one on port 25 and the desired TLS policies may be different
> for the different (by port) SMTP services.

Maybe you should be able to disable the STS check in those cases where
you do some local override?

> To avoid deliver pipeline stalls we'd expect the out-of-process
> STS delivery agent to reply immediately with no policy when it does
> not already have at least an embryonic unvalidated policy cached,
> and to schedule a policy fetch in the background.  The policy would
> only be used and validated on the first delivery *after* it was
> already cached locally (as an unvalidated policy).

Yes, that's really a problem in the policy-delegation idea. I guess you
could return a "DEFER" and thus force the mail to be back in the queue,
waiting for the fetching of a current policy to finish? But then you
have the problem that postfix is going to retry with another hop...

Cheers
David

v2.23.0 | Report a Bug | By Email