IETF Logo Mail Archive

Re: [Uta] MTA-STS with lots of domains

Daniel Margolis <dmargolis@google.com> Wed, 09 January 2019 11:16 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A81B130DD0 for <uta@ietfa.amsl.com>; Wed, 9 Jan 2019 03:16:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJqAx7xUDF4m for <uta@ietfa.amsl.com>; Wed, 9 Jan 2019 03:16:01 -0800 (PST)
Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B46FA130DCA for <uta@ietf.org>; Wed, 9 Jan 2019 03:16:00 -0800 (PST)
Received: by mail-ua1-x933.google.com with SMTP id d2so2289964ual.2 for <uta@ietf.org>; Wed, 09 Jan 2019 03:16:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8HraXB7M96J20zJMqZz1QJ6hqDK631nKpQSOwWUUlh8=; b=X92tsf/Yu6KvkwYHB1uhpV6Vh+8aIsuyYkIB1jptOkI3hvmiJitS0zQB2UqKvQXx6C dttBQaBvCpAbyh9Cd7wl1bmICUFhGXp2guLlosG4H9k7NaEetKFG5X4naReK64Hat4je XtOKBVM3tcAZUpgznwkSfc641G9vXY/ML+jKsJvixS6GDHvG3n/h4emrjCmmPWkArtZ7 pcbBRBWAwwp75jKPtzW8yXJIfRbc/dI8emVkVDXgIAs/KRIj3umauOwimNy8NKvyVXsm AxhTfEh6AARKb6FrJ0Uik1nUu2kW+EVAcSJ7lKeLPx7JA9qN73GxsbVvxDClzchucFDT WN2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8HraXB7M96J20zJMqZz1QJ6hqDK631nKpQSOwWUUlh8=; b=lMOhsPDWi0Tt1TiiCFdJk1mq4cTgg6WNImTR12obNsy5RKq31debaex6cUGuPgUW8c qxnXKVkEW1DWAOQFhRBfCbFFeMrjX0rDNp5xsXp+7vGLrX+5lD0fU9cFD56OraLFi7o+ uayKvpLyUqVqFTEliSpg71uCdtvOxXSkdLL4YLyOcfRQI4NkJ5QIDdtF9hvJEMY/ivK8 PXK+uFjn16cTtz1+1iRHbgJV+hRrNhE9pnq4y9jC9g7wMHY14+Q+J7R0QvNcS2UCVLWK 1v2iCngYUN372Lw/sJn13Bg8T9UnNZZh1kPNoh71512644eIwYLtkgvV7jb1vpinsc4i qemw==
X-Gm-Message-State: AJcUukd7lz4okZsd1hXG16SAWn8lxeKId4BujiVXREgUx1iyfpWiQh6q GiyXJbQQdrISFz952KOS80aZa++eowaxRtPBnwkcjCXC
X-Google-Smtp-Source: ALg8bN5dHuIYQBzoSXfPe47P/8vk5moueRJlipjQt9EN73QXbHjO/I/qteETqHL/sFbCaCLIs8f6WJdjdr7NYzCimcU=
X-Received: by 2002:a9f:3fc3:: with SMTP id m3mr1943992uaj.85.1547032559123; Wed, 09 Jan 2019 03:15:59 -0800 (PST)
MIME-Version: 1.0
References: <alpine.OSX.2.21.1901081537420.12754@ary.local> <fd6a9ac0-19df-4075-2e75-a5ce47980ce3@bluepopcorn.net>
In-Reply-To: <fd6a9ac0-19df-4075-2e75-a5ce47980ce3@bluepopcorn.net>
From: Daniel Margolis <dmargolis@google.com>
Date: Wed, 09 Jan 2019 12:15:47 +0100
Message-ID: <CANtKdUee4d=bexpAUj-9+qGLO1ght=H-0XOMuxV-k+BrM3HDug@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000002f8ec3057f049600"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/cZh55wFOpWfdwnH-RmHGusMBgv0>
Subject: Re: [Uta] MTA-STS with lots of domains
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 11:16:05 -0000

Yeah, same question as Jim's. If you switched to a common MX, deployment
would be very easy.

To restate your question slightly--because I believe the HTTPS part is in
fact easy (as Andreas noted, it's fairly trivial to automatically serve the
"right" server cert for the desired identity, though I don't claim my
sts-mate is production ready ;) )--your problem is

*Given a large number of domains that share the same physical MTA, but
where each domain has its own in-zone MX record, how do I have the MTA
serve the right certificate, as required by MTA-STS?*

I think this is hard. You probably could get a single cert with SANs for
all of your 80 domains, or one for each new domain, but you will have to
figure out how to automate this (and I guess use SNI to pick the right cert
on the server side--note that the RFC does require SMTP clients to support
SNI, so as to enable this).

As an interesting anecdote, in draft versions of the RFC we specified that
the "mx" patterns in the policy had to match a SAN on the cert, but that
the cert did not in fact have to match the hostname itself, which would
have supported your use case. But we removed it for simplicity.

Since you can achieve the same indirection by sharing an MX host (i.e., a
fixed host, like "mx.provider.com") across all your users, I would
recommend that approach. Is there a specific reason to avoid that, or is
this just the current setup that you have?

On Tue, Jan 8, 2019 at 11:01 PM Jim Fenton <fenton@bluepopcorn.net> wrote:

> On 1/8/19 12:59 PM, John R Levine wrote:
> > Adding to the excitement, every domain has its own name for the mail
> > server, e.g., for foo.com the mail server name is mx1.foo.com, all
> > pointing at the same IP address.  (This is not unusual; Tucows
> > hostedemail does the same thing with much longer names.)  So I'll need
> > 80 names on the mail server certificates, too.
>
> You said that you control the DNS for the 80 domains. Is there any
> reason you can't use a common MX name for them?
>
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>


-- 
How's my emailing? http://go/dan-email-slo

v2.23.0 | Report a Bug | By Email