Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS Proposal

Alice Wonder <alice@domblogger.net> Sun, 06 January 2019 03:05 UTC

Return-Path: <alice@domblogger.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67C88128D09 for <uta@ietfa.amsl.com>; Sat, 5 Jan 2019 19:05:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=domblogger.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JERMWqr3_r_y for <uta@ietfa.amsl.com>; Sat, 5 Jan 2019 19:05:15 -0800 (PST)
Received: from mail.domblogger.net (mail.domblogger.net [104.200.18.67]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 723D1128766 for <uta@ietf.org>; Sat, 5 Jan 2019 19:05:15 -0800 (PST)
Received: from localhost.localdomain (c-73-15-182-232.hsd1.ca.comcast.net [73.15.182.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id BB1C822F9 for <uta@ietf.org>; Sun, 6 Jan 2019 03:05:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.domblogger.net BB1C822F9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domblogger.net; s=default2019; t=1546743914; bh=0TraK+WqTf98hqms2IY/PY6HycJRHQMLGsso4zT+xoo=; h=Subject:To:References:From:Date:In-Reply-To:From; b=DSR8B5FrtK3mVpPWISTR5pZ7pmg0oC5kIkGns2f2IQS7mil82/dAc6+uK+C4jJGvk UVvWjAHdyODD8Tdokd6pto+zfirO8OgGOKQJqEtISsR3O6CAAzcg/mSsYZ8S5PyI+7 kemYfUaUG43ICyZvsHdhdrsMXDn9PcmWjyZ5x6mT2DPJ2dZh7sq9wAJXQIJhhLoimX b5Yep7yRR/HAvrOd3+p2sKYDItnO0PSckU6CirEkdNn74o7f08mRJxqcUrb9i+y3hY WE6FY9QFuhlSS8zGbi0t8vdV5diAlAmWwL7xPJR2wA3r5VOUtZ9XLN1ackQug8a7Cd pUcjV9WQrJC3Q==
To: uta@ietf.org
References: <CAOEezJTyEf+Sn9ZqQPue1DFUSoFO211YogJ6ufYJxswWzXk=_A@mail.gmail.com> <20190106010828.CC431200C5ED52@ary.qy> <CAOEezJShOYkmy8-E+8zG=CPXxrWNcxf8q8W8MnW-v1RT0FzEWw@mail.gmail.com>
From: Alice Wonder <alice@domblogger.net>
Message-ID: <123cecc0-aba2-9530-c0d9-b6437f295140@domblogger.net>
Date: Sat, 05 Jan 2019 19:05:12 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <CAOEezJShOYkmy8-E+8zG=CPXxrWNcxf8q8W8MnW-v1RT0FzEWw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/amj9PKEcFrKCd0GFXMAb20IgETA>
Subject: Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS Proposal
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jan 2019 03:05:17 -0000

On 1/5/19 6:44 PM, Viruthagiri Thirumavalavan wrote:
>     There are plenty of lightweight free daemons out there that can
>     securely
>     serve static content over TLS.
> 
> 
> Alice, Thanks for the input.
> 
> I don't think "lightweight" is the problem here. If i'm desperate about 
> email security I'm gonna configure the web server even if it is not 
> lightweight. As you know, web server and mail server are two different 
> things. One should not depend on another in order to work.

Well since SMTP is point to point, if you depend upon encryption you 
need S/MIME or PGP and always will.

Also I seem to recall talk of an e-mail header clients can add that tell 
a MTA not to forward it without encryption.

What the HTTPS server in MTA-STS really does is give some limited 
protection against DNS MX record spoofing for zones that do not have 
DNSSEC and/or for MTA clients that do not validate DNSSEC.

SMTP itself still works without running a web server. The web server 
really is just an easier way than DNSSEC for some admins to secure the 
MX response, a 2FA on the MX response so to speak.

> 
> For example, I'm using my domain only for mailing purposes. If I have to 
> setup a HTTPS server to make my email secure, i'm probably ok with that. 
> But it's not easy for non-tech savvy user who depends on third party 
> mail services like Google Apps. Setting up web server, installing SSL 
> certificates are high level tasks for a non-tech savvy user.

Not really all that high level, and if they are too high level for the 
user, there are inexpensive services that do it for you, including valid 
certificate thanks to Let's Encrypt.

I agree it would be better if Google started signing their zones and 
supported DANE for TLS.