IETF Logo Mail Archive

Re: [Uta] New proposal: SMTP Strict Transport Security

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 11 April 2016 20:30 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48BA012E6D2 for <uta@ietfa.amsl.com>; Mon, 11 Apr 2016 13:30:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tg0ANPRACw2 for <uta@ietfa.amsl.com>; Mon, 11 Apr 2016 13:30:49 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FDA112ED47 for <uta@ietf.org>; Mon, 11 Apr 2016 13:30:48 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0CC3C284DCA; Mon, 11 Apr 2016 20:30:47 +0000 (UTC)
Date: Mon, 11 Apr 2016 20:30:47 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20160411203046.GZ26423@mournblade.imrryr.org>
References: <CANtKdUewMQ5jVAUOaWfuUquFdDB_dh_jNEfAo7T=qruqzszGqw@mail.gmail.com> <1A3DB748-26E6-404D-84F5-962B3AA21AB4@azet.org> <CANtKdUf9MujQxZQMz8xbPi+EVOYXLWgR342x1-S8u12PPm-TAA@mail.gmail.com> <20160406224039.GH26423@mournblade.imrryr.org> <20160408151600.GB13343@schweikert.ch> <20160408190615.GM26423@mournblade.imrryr.org> <20160409220007.GA17512@schweikert.ch> <CANtKdUd5Oqbd9Y-mTzEoBzKJJy5gcbUzYOu=YFziGaCsg56SoQ@mail.gmail.com> <20160410204458.GX26423@mournblade.imrryr.org> <CANtKdUe7_ZUT=Js47mP=i7h+hbR6wrMJN6XvZEypyWGyTkVUeA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANtKdUe7_ZUT=Js47mP=i7h+hbR6wrMJN6XvZEypyWGyTkVUeA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/Q4A99aWrrcey0FUNfGEWZY_1YkE>
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 20:30:51 -0000

On Mon, Apr 11, 2016 at 10:07:14AM +0200, Daniel Margolis wrote:

> I see your point. But I think one thing still needs to be specified. In the
> smarthost case, what domain is used to validate the server certificate
> during the HTTPS policy fetch?

The nexthop domain.  It may, or may not, be subject to further MX
indirection depending on local policy:

    1.  # Forward example.com email via example.net's MX hosts
	# whatever they may be
	#
	example.com	smtp:example.net

    2.  # Forward example.name email via the smtp.example.org
	# relay host.
	#
	example.name	smtp:[smtp.example.org]

In case "1" the STS policy DNS lookup (signal of support) would be
at "example.net" and the well-known URI would be https://example.com/...

In case "2" the STS policy DNS lookup would at "smtp.example.org",
and if that happens to indicate STS support, the well known URI
would be https://smtp.example.org/...


> Presumably it's now the domain of the
> smarthost, not the domain of the recipient domain (for obvious reasons).

Yes, always the domain of the SMTP nexthop, which may or not be
subject to further MX indirection, but recall that (RFC 5321) relay
hosts are just (implicitly) MX domains with:

	smtp.example.com. IN MX 0 smtp.example.com

So the two cases are the same, the STS policy is always associated
with the owner-domain domain on the (possibly implicit) MX RRset.

> But this is mildly funny; absent smarthosting, it's the email domain that
> signs the policy (for obvious reasons); with smarthosting, it's the MX
> domain?

Nothing funny at all, and not it is always the transport nexthop
domain that signs the policy.  Do not confuse the nexthop domain
with its MX exchange host, even when they are necessarily the same
(example 2).

> I guess this is why Chris was saying it makes sense to separate routing
> policy and security policy, but I don't love the complexity that that adds.

Yes, these are related.  With DANE routing is protected by DNSSEC
alone, and TLSA records then provide security policy for the target
MX.  Since TLSA records are cleanly separated from routing they
protect the traffic for that MX regardless of whether MX indirection
was used or not.

In Postfix 3.1 (released in Feb 2016) we by default also make use
of DANE TLSA records even when the MX RRset is not signed, provided
the MX host's TLSA records are.  We don't log that as being as
secure as having signed MX RRs, but it does protect against active
attacks when the DNS records are not compromised.

> I think instead it makes sense to simply say that in the smarthosting case
> the policy domain is the smarthost domain.

Not sure where "instead" comes from, that's the only plausible
interpretation for transport security, but note that when the
nexthop domain (smarthost is a special case of nexthop based on
local policy) is subject to further MX lookups (example 1), the
STS policy is associated with the nexthop domain, not the target
MX hosts.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email