Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 June 2022 17:03 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 980E2C15AD41 for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 10:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NfCLpkjsfsE0 for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 10:02:59 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7783C159490 for <uta@ietf.org>; Thu, 23 Jun 2022 10:02:59 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 0AE89FE0C4; Thu, 23 Jun 2022 13:02:58 -0400 (EDT)
Date: Thu, 23 Jun 2022 13:02:57 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <YrScwUqxWiLnweCH@straasha.imrryr.org>
Reply-To: uta@ietf.org
References: <165360014937.7348.791812490092301727@ietfa.amsl.com> <39887905-080d-0caa-86d9-45adea8705b9@cs.tcd.ie> <00b3db53-9523-db44-1b18-e09dab2ff343@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <00b3db53-9523-db44-1b18-e09dab2ff343@stpeter.im>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/b0kyff9Os30shFYdF3yPg8PTbOk>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 17:03:04 -0000
On Sat, Jun 18, 2022 at 11:56:30AM -0600, Peter Saint-Andre wrote: > On 5/27/22 7:51 AM, Stephen Farrell wrote: > > > - section 3.2: I wondered why no mention of MTA-STS or > > DANE? Could/should we say that MTA implementations > > SHOULD include support for such strictness? > > Hi Stephen, > > Although these technologies (RFC 8461 and RFC 7672) seem sensible, I > don't think we authors have a good handle on whether they are widely > deployed enough to justify a SHOULD in a BCP. We will reach out to folks > in the email community for guidance. Both DANE and MTA-STS have now been around for some years and there is a body of operational experience with these protocols. The story is roughly that: - Both require no changes in the receiving MTA, it just needs to support STARTTLS and be configured with a "suitable" certificate chain that meets the promised constraints (be they DANE, MTA-STS or both). - Inbound DANE is supported on ~3.34 million domains. * Many are small domains MX hosted by the likes of: 1,229,567 one.com 278,987 hostpoint.ch 170,237 infomaniak.ch 161,743 transip.nl 158,849 argewebhosting.nl 112,901 hostnet.nl 107,719 domeneshop.no 100,270 jouwweb.nl 96,866 loopia.se 95,410 webhostingserver.nl ... * Some are email service providers hosting many users and perhaps also customer domains, for example: web.de gmx.de protonmail.ch mailbox.org posteo.de ... - Inbound MTA-STS is supported by a much smaller number (a few thousand not millions) of domains, but notably these include many of the largest email service providers: $ for d in gmail.com hotmail.com outlook.com yahoo.com aol.com; do printf "%-20s " "$d" curl -sLo - https://mta-sts.$d/.well-known/mta-sts.txt | grep '^mode:' || echo done gmail.com mode: enforce hotmail.com mode: enforce outlook.com mode: enforce yahoo.com mode: testing aol.com - Outbound deployment is considerably harder to measure, but IIRC outbound DANE is supported by: * outlook.com and Azure hosted Exchange customer domains * one.com * transip.nl * protonmail.ch * mailbox.org * posteo.de * ... - The sending MTA does all the heavy lifting of implementing peer validation per DANE or MTA-STS as applicable. - Software support for outbound DANE is included in Postfix, Exim, Halon MTA, Power MTA, Cisco ESA, Microsoft hosted Exchange, ... with partial support last I looked also in Sendmail and perhaps some Qmail forks... - Software support for MTA-STS is NOT included in either Postfix or Exim due to its rather unwieldy architectural footprint, with a mixture of HTTPS and SMTP and complex per destination caches. At least in the case Postfix and Exim support for MTA-STS is unlikely in the near term. The developers have expressed explicit distaste for the protocol. Returning to the question asked: SHOULD MTAS support DANE and/or MTA-STS? - If the question is about the software stack, then: * Any MTA that supports STARTTLS already supports both inbound. * Outbound support for MTA-STS is unlikely the leading open source MTAs * Outbound support for DANE is starting to be available even in some of the cloud provider stacks, but is not yet prevalent. - If the question is about operator diligence then: * Inbound DANE requires DNSSEC support from both the recipient domain and its MX host domain. The primary operational burden is on the MX host operator, and DANE scales very well when a single skilled operator MX hosts many domains. Adoption by the domain hosting operator is growing, especially in northern Europe, where DNSSEC-signing is presently also more prevalent. * Inbound MTA-STS requires an HTTPS server for policy publication, with support for the ".well-known/mta-sts.txt" URL. * Both DANE and MTA-STS require careful management of associated DNS records, in particular correct timing of DNS updates relative to changes in certificate chains or the MTA-STS policy respectively. * Outbound DANE requires a local validating resolver on the MTA, which is comparatively easy to set up, but is an extra step that holds back some smaller less-skilled operators. It also requires an X.509 layer in the TLS library that supports DANE-style certificate chain validation. This is currently available in OpenSSL, but last I looked not in e.g. BoringSSL or LibreSSL. * Outbound MTA-STS requires a complex long-term persistent policy cache, and support for HTTPS probes in the MTA stack. In light of the above, "SHOULD" is perhaps still a reach, though I do think that support for DANE is at this point a best practice. As for MTA-STS, I am not convinced given its narrow scope of essentially just the largest operators that it was ever needed, policy for this set of operators could be implemented statically by those sufficiently inclined. That is MTA-STS is IMHO too complex for too little gain, but I'm not exactly a neutral observer... :-) -- Viktor.
- [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt internet-drafts
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Martin Thomson
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Stephen Farrell
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Mattsson
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Thomas Fossati
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John R Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- [Uta] Multi-Server Deployments (was: Re: I-D Acti… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] Multi-Server Deployments (was: Re: I-D … Martin Thomson
- Re: [Uta] Multi-Server Deployments (was: Re: I-D … Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni