IETF Logo Mail Archive

Re: [Uta] MTA-STS - Questions on implementing the latest (02) draft

Daniel Margolis <dmargolis@google.com> Thu, 05 January 2017 12:29 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 770F812947C for <uta@ietfa.amsl.com>; Thu, 5 Jan 2017 04:29:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level:
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDpIpPplfYEM for <uta@ietfa.amsl.com>; Thu, 5 Jan 2017 04:29:52 -0800 (PST)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7621A1288B8 for <uta@ietf.org>; Thu, 5 Jan 2017 04:29:46 -0800 (PST)
Received: by mail-yw0-x229.google.com with SMTP id a10so340982713ywa.3 for <uta@ietf.org>; Thu, 05 Jan 2017 04:29:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=R9i/6GCIC2kHRbJikh3wD21irYBEJF8jnVyy2sQtKmM=; b=QnF+JL8XARw+B5AFrJUJWSGUYdrEXMzRVsqCxUxqjIEqF34m0gz/EV4TsGtwAiBh6C JKyCvf4rlHDDqrtF8r5ICHj3LCKGa+qNZaC98+HeA2TFCNQqooXJiYHCaKPYRd1E4j8W Xoa/Rjm3+u3Xas6+7Jv3gIqMW+KkEEmlJ+iaaK1aRitXmRVe1diPioCs8tBAsEqt1nOz o1O8iVH/6puFCdfT5XbzmQX3u/sTg/E3tdq0yf4Cdieg7L+CE3hQnhwyxeo5rDCfsuUe DJHzEFrFf3Fh5fnCH2ek6hN/N3rHizkTE+z2v77mlOgQoG5p3daRRqXcwadLtxTJoAjd LQRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=R9i/6GCIC2kHRbJikh3wD21irYBEJF8jnVyy2sQtKmM=; b=UgBwtWWi2EjwLD+fVfAkb721xuUnXHPyUSpDy4zeSyzsLWSCavpaBiA8GJRBxO7DDe nzNV1UYE55vWwXmdp/XTWrfoMrRZlNY/QUY6mVOMZvFXiJk+1wOmv/fk5VPzGoI/+FJC 1zEvSi1Xk1B16WDTehBmrZhKiC8Uwm76/KKME4slVeBBR7b3hbBFfDqGj/CW2M5/+HtA oh7pHEbMQo4fIxFEcalwfh/fzCiIvYcyFF/biRlhqIDDZWYv3jPC8JGvv2q2HbpNM336 PImmTuwncreu+jmMng0nlJ9KIRDZMivKm9VttE3vfxRog6o3+sqSfzlgOFdZ2pY1X6g3 eRMA==
X-Gm-Message-State: AIkVDXIlQw7dZBzqH+2YBQ5Df0LepX/XlE6m8VwmwvGlg+zyV9kX5luxoVHjo+ef2rOGwYjHDrrj/NYatWuFmcob
X-Received: by 10.129.173.93 with SMTP id l29mr65696574ywk.351.1483619385287; Thu, 05 Jan 2017 04:29:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.217.84 with HTTP; Thu, 5 Jan 2017 04:29:44 -0800 (PST)
In-Reply-To: <20170104171617.GE24134@blitiri.com.ar>
References: <20170104171617.GE24134@blitiri.com.ar>
From: Daniel Margolis <dmargolis@google.com>
Date: Thu, 05 Jan 2017 05:29:44 -0700
Message-ID: <CANtKdUcXVHmVjooyV3k85C3UucGW_qYvERWn1m464dhY381oqw@mail.gmail.com>
To: Alberto Bertogli <albertito@blitiri.com.ar>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="f403045e8a1a7aa0810545580ec9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/Omqo1Bw6rJbrTMl2Zo69IJr35Qo>
Cc: uta@ietf.org
Subject: Re: [Uta] MTA-STS - Questions on implementing the latest (02) draft
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 12:29:54 -0000

Inline:

On Wed, Jan 4, 2017 at 10:16 AM, Alberto Bertogli <albertito@blitiri.com.ar>
wrote:

>
> Hi! Happy new year!
>
> I had some time during the holidays and started to do a basic
> implementation of the latest MTA-STS draft.
>
> While doing so, there were a couple of things I wasn't sure about so I'd
> thought I'd ask:
>
> - What happens if the "mx" field is missing from the policy?
>   Should the MTA skip checking the field but honour the rest of the policy,
>   treat the policy as invalid, or assume no MX is valid?
>

The "mx" field is required, so if it is missing, the policy is invalid and
should not be honored. (It doesn't make sense to honor the policy anyway, I
would say, since a policy without allowed MXs is essentially a way of
saying, "There should be TLS and the server identity should match the MX,
whatever the MX is." I guess this prevents SSL stripping, but doesn't
prevent DNS injection, so it's of relatively little value.)


> - For the case of an internationalized domain name, the "mx" field should
>   include domain patterns in their U form (e.g. "*.ñaca.com
> <http://xn--aca-6ma.com>"), A form
>   ("*.*.xn--aca-6ma.com"), or both can be present?
>

I suppose this is underspecified in the draft!

I would say based on https://tools.ietf.org/html/rfc6125#section-6.4.2 that
it makes the most sense for this to be in the A-form, since otherwise the
MTA would have to convert to the A form for checking. What do you think?

I proably can make a quick change to clarify this if it seems reasonable to
those on this list.


> - The TXT record is on "_mta-sts" but the policy is on "mta-sts". Is that
>   intentional? Why not putting both on the same domain, to simplify things?
>

Yes, this is intentional. The underscore in "_mta-sts" was kept to be
similar to that in (e.g.) _dmarc TXT records, but for the HTTP host this
seemed inadvisable:
https://www.ietf.org/mail-archive/web/uta/current/msg01524.html.


>
> - The draft says that clients MUST check the TXT record, but it seems to me
>   it's totaly possible to make a reasonable implementation without doing
> so.
>   Is it worth using "MUST" for this?
>   I imagine this is related to the previous discussion we had, but
>   forcing MTAs to check seemed quite strong so I was wondering if
>   there was something else.
>

I think there's some utility in specifying this as at least a SHOULD so as
to ensure common behavior--otherwise, a recipient domain that updates its
HTTP but not TXT will work some of the time for some senders, I guess? That
seems risky.

But need it be a MUST? Probably not. The truth of the matter is, as you
say, that nobody would really know (except from slightly higher request
rates) if your implementation did HTTP-only. ;)

I'm open to making this a SHOULD, but it's not something I have a strong
feeling about one way or another. What do you (and others) think--worth
changing to SHOULD? Better to keep a "MUST"?


>
>
> Thanks!
>                 Alberto
>
>
> In case you're curious, the implementation I have so far is at
> https://blitiri.com.ar/git/r/chasquid/b/sts/, in particular
> https://blitiri.com.ar/git/r/chasquid/c/febad008f38c9ac980a4c0a6179a76
> 81fed7f125/
> (patch and branch are subject to rebasing).
>
> It's mostly fetching, parsing and checking. It has no caching or
> reporting yet; I will add them later, but thought these questions are
> independent anyway.
>

I feel slightly bad for not having shared this earlier, but I wrote a toy
implementation here: https://github.com/danmarg/smtp-sts. As with yours, it
does not do caching or reporting; I wrote it merely to power this:
http://sts.x.af0.net.

Feel free to copy any code you like, of course, though it's a little late
for that. ;)


>
> The integration into the MTA itself will come later too, but I expect it
> to be roughly similar to the integration into the smtp-check tool, which
> is included.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.45.0 | Report a Bug | By Email | System Status