Re: [Uta] Smallest practical MTA-STS maximum policy age?
John Levine <johnl@taugh.com> Sun, 24 May 2020 16:18 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 839A03A0B75 for <uta@ietfa.amsl.com>; Sun, 24 May 2020 09:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Djy4FrzP; dkim=pass (1536-bit key) header.d=taugh.com header.b=LpR8t7nA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDQ0hpnk3R-v for <uta@ietfa.amsl.com>; Sun, 24 May 2020 09:18:54 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4F9F3A0B76 for <uta@ietf.org>; Sun, 24 May 2020 09:18:53 -0700 (PDT)
Received: (qmail 80208 invoked from network); 24 May 2020 16:18:51 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1394b.5eca9e6b.k2005; bh=ZFRv9ygMzn7V/tnm+jPUTpHyAupZOwJ1J+uK7dY6ltg=; b=Djy4FrzPbVCYuUaw4Py46ZdSHv+jq0Ha6eLWz/5enCk5eYP1MIbj/WKga7fn7NYTpMBrhDj6JBNEWppoQVMngisIIOZKUsGhbmdwsoJe1qk2QnzhmTRGX8VwXTDkWKq+qaaQq9DMQj9zhB00VUpUvFk4WbXBNqACYKSF+q9pVLsz3hBb2ZLcaD2yJwxTsDvWM1jQhDCEfFARk5IxAyR88BfjWMgxk0LcNMZ71ktxyQ84OamUWbryQ0dZzBVWlKsP
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1394b.5eca9e6b.k2005; bh=ZFRv9ygMzn7V/tnm+jPUTpHyAupZOwJ1J+uK7dY6ltg=; b=LpR8t7nAbEiGM3nw976LCv6bDYN4el78zELN2BBeT/kdgJOGLaEBH3gXWQqkNFMU8bNYJSQHmRv85u1Oyft4OB7j4OuA3HyRRuHD6dWa+Azc2s/oGRWKEuB8WyaD8a7u+EjzfAQUlzciVyJH2LYPx8S7A6HfqJGxclUfgK2ooCkQUaZ58xkFvzB6zfOLIpUrud3aGAqOpYHiKn50ya5MU+GG2qB10Rf+NOmHWrXk06s/aRwhPuYmAoMm61Ps+Xx1
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 24 May 2020 16:18:51 -0000
Received: by ary.qy (Postfix, from userid 501) id 47C0C199403D; Sun, 24 May 2020 12:18:50 -0400 (EDT)
Date: Sun, 24 May 2020 12:18:50 -0400
Message-Id: <20200524161851.47C0C199403D@ary.qy>
From: John Levine <johnl@taugh.com>
To: uta@ietf.org
Cc: ivan.ristic@gmail.com
In-Reply-To: <CANHgQ8H0dnNQCzrP0rXxZhLh+D52vsqiRyOk8pu9fFifZwBWTw@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/OIN-ViMQ2vVAEsZrsIE-pK7gMeQ>
Subject: Re: [Uta] Smallest practical MTA-STS maximum policy age?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2020 16:18:58 -0000
In article <CANHgQ8H0dnNQCzrP0rXxZhLh+D52vsqiRyOk8pu9fFifZwBWTw@mail.gmail.com> you write: >> Thus, my take is that MTA-STS policies with a max_age less than ~30 days >> are potentially ineffective, and perhaps not worth the bother. > >Sure, for production use. > >The issue I am seeing is this: New users are experimenting with MTA-STS and >wish to use a small policy duration until they're confident in their >configuration. They use values in hours and don't get any reports. > >Perhaps there's a case for specifying a minimum acceptable policy duration >in RFC errata or something? I publish 86400 max_age and get lots of reports, mostly from Google and Comcast. If they're testing they should be using testing mode, and the age doesn't matter so much. version: STSv1 mode: testing mx: <whatever> max_age: 86400 My setup is a little odd because my mail servers have a different name for each domain pointed at them so I'm also testing whether clients provide SNI to ask for the right certificate and my servers correctly provide it. As far as I can tell they all do. It's not a perfect test because all of the certs for each server have the same key and so the same TLSA which (I think, Viktor?) would work even if it provided the wrong certificate.
- [Uta] Smallest practical MTA-STS maximum policy a… Ivan Ristic
- Re: [Uta] Smallest practical MTA-STS maximum poli… A. Schulze
- Re: [Uta] Smallest practical MTA-STS maximum poli… Viktor Dukhovni
- Re: [Uta] Smallest practical MTA-STS maximum poli… Ivan Ristic
- Re: [Uta] Smallest practical MTA-STS maximum poli… John Levine
- Re: [Uta] Smallest practical MTA-STS maximum poli… Daniel Margolis