IETF Logo Mail Archive

Re: [Uta] I-D Action: draft-ietf-uta-smtp-require-tls-02.txt

Jim Fenton <fenton@bluepopcorn.net> Wed, 11 April 2018 21:29 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E06B912895E for <uta@ietfa.amsl.com>; Wed, 11 Apr 2018 14:29:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtMebqJRU8QL for <uta@ietfa.amsl.com>; Wed, 11 Apr 2018 14:29:10 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D84127876 for <uta@ietf.org>; Wed, 11 Apr 2018 14:29:09 -0700 (PDT)
Received: from steel.local (198-27-255-66.static.sonic.net [198.27.255.66]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id w3BLT681004981 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <uta@ietf.org>; Wed, 11 Apr 2018 14:29:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1523482149; bh=4d/ROp/HjzTKJFHj9w3VtIGkrKA9UB1D5Eg+NZFKcCY=; h=Subject:To:References:From:Date:In-Reply-To; b=b4LcauUGXqRUVMmaTpaFM3mnmk6Z3AdVHds3rIoO3oobV0//zgjXYbrEg3di1jyrI lBUCoqmU/ASR0uwuxmZ8/LCwwr57jA3j/u6yrC15/8GkSib4tZ0FuSklVvOHQgqH+U Gkhw69u6KI2yhrk54w6u+aU8U5REPOGxbZljpQWI=
To: uta@ietf.org
References: <152305638216.30034.16510218126274182651@ietfa.amsl.com> <d751109f-fc28-6ff8-4dcf-9548196ab971@bluepopcorn.net> <59385B47-7983-4962-83DC-27A856119D84@oracle.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Openpgp: preference=signencrypt
Autocrypt: addr=fenton@bluepopcorn.net; prefer-encrypt=mutual; keydata= xsFNBFJNz0MBEADME6UoNSsTvSDJOdzL4yWfH4HTTOOZZPUcM/at38j4joeBb2PdatlwCBtk 9ZjupxFK+Qh5NZC19Oa6CHo0vlqw7V1hx1MUhmSPbzKRcNFhJu0KcQdniI8qmsqoG50IELXN BPI5OEZ3chYHpoXXi2+VCkjXJyeoqRNwNdv6QPGg6O1FMbB+AcIZj3x5U18LnJnXv1i+1vBq CxbMP43VmryPf8BLufcEciXpMEHydHbrEBZb/r7SBkUhdQXjxRNcWOLeYvOVUOOrr1c+jvqm DEbTWUJVRnUro/WpZQBffFnymR0jjkdAa8eOVl/nF2oMLbaBsOMvxCRSSEcGhuqwbEappNVT 1nuBTbkJT/GGcXxc+lEx9uNj86oYC4384VZJMTd1BRI4qPXImNZCIdmpKegK743B6xxN6Qh1 Tg167pn9429JENQE/AFIVX5B/gpsg7Aq+3rmz9H6GbfovPvFV3TBTgsHCHAMC8XU+S4fhcqN PN0lbUeyb7g6wxaE+dYqC7TExx7G3prw4v66y0qS7ow/Cfw8XXOEkaFQ4XwP7nvfILT+9CcU yS8I40vlDFU9Wnt56CbGz0ZVQgHnwyPXL+S9kCcIwRLFx1M79s6T6qwX1TXadfpbi1uIw7XG TiPDT8Pk6i2y22oSSROyYD4D+wOhVkkvO0S8iZ3+LhAYUx86nwARAQABzStrZXliYXNlLmlv L2ppbWZlbnRvbiA8amltZmVudG9uQGtleWJhc2UuaW8+wsF6BBMBCgAkAhsDAwsJBwMVCggC HgECF4ADFgIBAhkBBQJZldiTBQkJKTzQAAoJEBslqLAV0J++/8AP/0T3XoGmX4c12LSjeBeh fAE9gydAHT8ny70yyhcxc/E7deDksmdRW9DBMBdXiN1HSxIJBPsUDl2KXvityxjOAJcorS63 tQ2aE6LcywaguWJ/SswJEWWkCxL3T4VTo5iprGdSW3khj3TmWZjqLGqoTobVDtfjdXeW0193 dnFjzoOA9OHmm7T0ifhRp2fKcQaO2bGtDSFjQYVolGWdNaLZHG7Ayb0HkDGHFGmIqQuiWgZl EGTwSsPY6b2Eov2mB+KN+aqvvrNqOwHHLfyMnuZAt4IUyPkjPGKntRPMAg+5h7JJOwnmlgRZ VW8/W43XWOlqHVjxKD/NKp9TV052opZR/swgLi67LXldBelTRmcc+6B1oXw9KwZ5WInBIVxL tFc5JfevZTHOCaTkUX7ATzygUBkhv6e+nuTCUOygv0gSVSLEeuTh3cJDXvLSjzWIanNqE93I Y859fv7/if5x76ljuynVXBza6yryQCLEYCz0Kj7hIMsRrS7bHTLQicoMlU0ZU9HIZareJGmJ dTspX2is9up+CrTAioYGejoyJJdG2ygaTxJAHhCWXJtMIXptSfFFzZXG+7vPJKFQ3MksD24q gRYII1cJa9Ddj6Wad9ZjR67ntOg87SFloJ+tTqF7mbgHVJZ1feyElU1oYvCxy1kMuE52yxOe lxoV9AvbYOSZfH+7zsFNBFJNz0MBEADBlpdizc7MaWmq9IfcdH0aNLMh4/QSawEKOl8h1ltA HBDdlESIwYic3FX7GR2MsODRy2tbNQJR7emVZ7k0mSmOqb4oxzsYqHJ5YnkxlG1WuHRWkVOq LxTBg9a6YBioTXL9TWZ7/Mel8b0QPB1JioyQ8XvoXLlb6+Fk/YgsppjypZIvIfxM+XmYUYHK l9PxDpS7OVGzZpNuxO0Ff+rAfuDO0xElKNC1ijbQCoKAEEcgD/TFXmoMfsJVjIrI9Di0ktDz /HJPKxRLl97CuPyVmj8b1Jo20LcIS+sljDIDSe9gHr6Ek8yow/+3JFcz/1djeo7hXG5z6bl9 htNlrkZgBk024Hl2+ojVTSwVNYERukB5puoJDjRmcVKP63W0G7B+Ph7L+gnvxZHKDn5VO88p FG5s6ZlyfOPnJ9NLdUbEBlvg2yPVLZ/cos/Rn4K/h23z3cjYlZMKHDuMDWiYXRBNBoGrXjSf Tzg8Wd0Ee52tndzP4A8Lz2KJ7YdDiMZCV1dlecbJIeceUD5ZTJn3CA6mVb0XhD8umzVue6Hl W209Wk1+NfyGJXjxqX5v663id/NcCuKkhFYXdMvvb/omqAQo2FErJGfRLoGJ2J5LIdbOolHd GiL9g1O/JfIuHqLqO0HJvcVueFh//2iWhsOmPQT6RN6YuvCjCt7zmDC6lKmGqXNVJQARAQAB wsFlBBgBAgAPAhsMBQJZldidBQkJKTzaAAoJEBslqLAV0J++ZvIQAMKYNCPNmYQ2Y1JyWeaO k7PohRPkEXphuFxtnJHOiiSSaSMmUB4MaxywOkAJ5vJTu+NllLcL2WjVBqyzhwVtcbVoHHKk +fL5oJ4Mf+Rr/JJa6NO1knFFhnRS9Cfm9DoWU++1w6hTR3xp5FqoRI/y6LTwdMzF+4lkH2EO voGvyJKdt4iK999UFloSWW7OuuVOfylY0vVuvkpE/UGPdty1z+Xr8GvRkoajS9vYLnEPb9CY MWnFitBLGe6xR/2+ysmUeKiS8OYY8c7PalvV0pZ9iqBZTXjSK+z4+Y/Y51LroyR53B3eGOdM HeCoDfd/aPeD960PLkzmVvOzt9jGj8/ggR33SqqAJL95iEAAmWsJCwts2KiN7scdGTUTD9gC LcwbwKDFkSdDMk+nuzRT7rYRPokOAGorb6wknAmbi3RBSH4raBQ11HZ+oOzl16RrEue4AuR8 XJmdH7IPUsMPfA4mwk0PpmDcwKw1U5YCMpDkGL9nhGfyVyccVz8eBa5wDBl04bXhTBY5gGZy begFLusTjnAIXhLR7HfEEI9yPShssw8c4KwkUG0qnHEflwb2W9rsqnVhHD61bjBAE2SX0/pc EyBpZw1gPkRKsD02PZJvebepjW4r/nTfiHOj6yjxiTrgHRmDT3DS9ettiwf15WjfXmdIuWgX 747WdW48X4EpMmWU
Message-ID: <5f69f9a3-7c2c-088f-6279-8c7ff595700f@bluepopcorn.net>
Date: Wed, 11 Apr 2018 14:29:00 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <59385B47-7983-4962-83DC-27A856119D84@oracle.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/j1A3OdhbLW7iU1jco-gAgWCjKqY>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-smtp-require-tls-02.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 21:29:12 -0000

Thanks for your review, Chris:


On 4/9/18 6:08 PM, Chris Newman wrote:
> On 6 Apr 2018, at 16:20, Jim Fenton wrote:
>> The major change in this version is the removal of the options (CHAIN,
>> DANE, and DNSSEC) from the REQUIRETLS SMTP option as discussed in
>> London. There were also inconsistencies in the header field name
>> (Require-TLS vs. RequireTLS) so I chose the latter.
>
> Although I don't intend to implement this because I don't foresee a
> use case, I reviewed it out of curiosity:
>
> 1. Section 4.3 needs to allow use of implicit TLS (RFC 8314) in
> addition to STARTTLS. The submission client would verify the TLS
> certificate of the submission server as documented in RFC 8314.

Agreed. I was somewhat focused on message relay (since submission is the
first hop, and the sender can directly control what happens there). But
submission is also SMTP, and the REQUIRETLS should handle all uses of
SMTP consistently.

>
> 2. There should be an example showing the SMTP protocol used with the
> REQUIRETLS mail from parameter.

Good idea.

>
> 3. The IANA considerations are incomplete. For example, they are
> missing fields required to register in the SMTP mail system response
> codes registry. See RFC 5248. I'm not sure this specifies all the IANA
> registration fields described in RFC 5321 for an SMTP extension. IANA
> considerations are not typically removed during publication.
I'll fix this section; it does appear to be incomplete. I should have
said that the IANA Considerations are updated at publication, right?

I'm not entirely clear on how the status codes (specifically the detail
sub-code) are assigned. Do I leave it as .X in the draft, to be changed
into an actual value at publication?

>
>
> Architecturally, I see "RequireTLS: No" as potentially useful to work
> around MTA-STS deployment bugs.
>
> I think the text related to bouncing a REQUIRETLS message is highly
> problematic. Metadata related to email is not private due to laws in
> certain jurisdictions and pretending it can be more private than it is
> does a disservice to implementers and users. The mail bounce
> infrastructure is already problematic and this makes that
> infrastructure more complicated; if this were implemented it would
> increase the chances of lost mail and/or the cost of mail system
> operations. I find both of those outcomes objectionable. Even if I
> decided to implement REQUIRETLS, I'd deliberately choose not to
> implement the entire section about bounce processing as presently
> written (and document that choice as both an intentional choice and a
> good one).
>
> If you want to say something about bounce processing, I believe this
> is the best you can do without making the bounce processing unduly
> complex:
>
> If a REQUIRETLS message is bounced, the server MUST behave as if
> RET=HDRS was present as described in RFC 3461. If both RET=FULL and
> REQUIRETLS are present, the RET=FULL MUST be disregarded and MAY be
> transformed to RET=HDRS on relay. The SMTP client for a REQUIRETLS
> bounce message MUST use an empty MAIL FROM return-path as required by
> RFC 5321. When the MAIL FROM return-path is empty, the REQUIRETLS
> parameter SHOULD NOT cause a bounce message to be discarded even if
> the next-hop relay does not advertise REQUIRETLS.

Part of the point of REQUIRETLS is that end-to-end encryption doesn't
cover everything -- specifically not the message header and envelope
information. While that information is not private to the MTAs handling
the message and potentially the jurisdictions in which they reside, TLS
prevents that information from being available to the jurisdictions
through which the message merely passes. The point of the bounce
language is to make sure that is still the case for a message bounce.
I'm still concerned about metadata leakage on these bounce messages.

I do see a problem that the current text (section 5 paragraph 3) assumes
that the sender of a bounce would get feedback about whether the bounce
delivery failed, which doesn't work because the envelope-from address
would be empty as required by RFC 5321. So what I would have it say
there is that bounce messages resulting from REQUIRETLS should always be
redacted. Unfortunately, this means that the bounce is only delivered to
the postmaster, which isn't particularly useful. So then we're back to
sending bounces to REQUIRETLS messages with REQUIRETLS also, and not
doing any special redaction, other than noting that some bounces may be
discarded by the mail system as a result.

I really don't see the value in changing RET=FULL into RET=HDRS. In many
cases, who's sending mail to whom is as (or more) interesting to an
eavesdropper as the message content.

-Jim

v2.23.0 | Report a Bug | By Email