IETF Logo Mail Archive

Re: [Uta] SMTP TLS reporting (RFC 8460), policy domains and DANE

"Brotman, Alex" <Alex_Brotman@comcast.com> Thu, 16 November 2023 13:59 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60184C14F739; Thu, 16 Nov 2023 05:59:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b="MGZ3v55Q"; dkim=pass (1024-bit key) header.d=comcastcorp.onmicrosoft.com header.b="iaHSpsuW"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wllPiVhAJwGI; Thu, 16 Nov 2023 05:59:27 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBE5EC14E515; Thu, 16 Nov 2023 05:59:24 -0800 (PST)
Received: from pps.filterd (m0156891.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3AGDuG9p019535; Thu, 16 Nov 2023 08:59:24 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=20190412; bh=U+DpdFAjbTJxkeZl7r7smXVU8DKCSXemgdwZ+3byTyo=; b=MGZ3v55QO9voUSwXs/Mq/YsDl3+xpqADkp8RBj1ZMFtfnDST1Gvh60kunR8Tb3FYoD8e caKswb+GRWIMXJGLx4MQiIHQoc0EyfQBeI1Ec6WYuwp/AzOMSLUMVeJCZZcEkAZNU03a VBp4isgR8vI3ohOqdebQIfhhfI9WxIVF2/EbhTd4WM7fz6ypipG2xrUaZmpFKr2sAOCf taCAivwwqapcHNoN6yQ4LrEpNaveFGWfspk7f48vm//ENO+dpT8vk5YtAn5Z3rI7diNp w5HAZfOI2CKzYhETB8UHGji+cFYznnjaTspw473jpI7sC1EDyLVYc6OSkk6OEPROdWlJ uA==
Received: from nam02-bn1-obe.outbound.protection.outlook.com (mail-bn1nam02lp2040.outbound.protection.outlook.com [104.47.51.40]) by mx0a-00143702.pphosted.com (PPS) with ESMTPS id 3ucj2ruj62-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Nov 2023 08:59:23 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H0j4LeVmlYQzvRE5ysMS2v7EnvPWjdNXtycEuWXrIq9zza4MeMwlDKgjzA8R9eqRZUBHSkY/79i6cVDfkvVBWZ+zPnXFgH1HUwK2v67HdrF2EjFrAwI0uembnlBzajbbzTyFpsGaqBrxdVv6L1mc1j6FaQvQn7qcViS7mUg0+lQEPwHTOb/U2U31XkBNfvlKteVMcOIcPzc/0uaioa9Hw73KY/1uORGbwNyAxWvnhX552H3rFZGCLIL8vCtmIvVBNwI74p1waJAm2SsgXjuXuCrzQLAGDFk7Erds1dFBYSZNb3EhLKc0jJXZMEg08EbQV3nVMkOxff4oZVgSxLQGjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=U+DpdFAjbTJxkeZl7r7smXVU8DKCSXemgdwZ+3byTyo=; b=NtBbq34PmJD+ixiI4GPNSc4VatX6/aO7h8MrEpTHSfwQcCUbwEEfbjD6j0Hh8MXPNOPOptwMexlVodldS16CSkDpRdm/aTtaRYZbzXvXC67nZ0eMDeqeRYnu7GKEPhDjn4Salveb1BwIxYTEl2/RImZfbNajSW2HreiZJhJzXbV8F/PoLg08OJuFvYj/9xrRiHCYfEvtWOBdMCP88LS+MVSKq6pZOXznX0vhA+hC/3fmBW+Ph99dgVuUvk7bO1AOK+4sZ5tqdykZjafOvLA04mWjMmVriZIynKCuNhf+0j42iFlMQqNM5iHo+mpefCD/QKEcqmx5f4luLB5L4WGVUg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U+DpdFAjbTJxkeZl7r7smXVU8DKCSXemgdwZ+3byTyo=; b=iaHSpsuW85ojWFpnwCwMWIBYjxNYE54tyMlxrNVkUJ618z6nOrBolp8c1U4N/IcoeIJ/rOtKrE2HdCSenC/wCaOf0SbaSPYigRR0/xYf9Bv0LkaZwFKhJIcXvNJs9jYMsuFz8EJiYtb9XqSOaduMtO+3lq8yLb6GjLAJdVBU9gE=
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by SA1PR11MB6710.namprd11.prod.outlook.com (2603:10b6:806:25a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.31; Thu, 16 Nov 2023 13:59:17 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::721:600b:d004:b4d4]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::721:600b:d004:b4d4%4]) with mapi id 15.20.7002.021; Thu, 16 Nov 2023 13:59:16 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: Mechiel Lukkien <mechiel=40ueber.net@dmarc.ietf.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] SMTP TLS reporting (RFC 8460), policy domains and DANE
Thread-Index: AQHaFwhnz+mpK3xxkESiT1daGRgk47B8+H+A
Date: Thu, 16 Nov 2023 13:59:16 +0000
Message-ID: <MN2PR11MB4351F7BF452EF3C45C02196AF7B0A@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <f4uAUqwma6dZnvvieVptWA@mail.axillis.nl>
In-Reply-To: <f4uAUqwma6dZnvvieVptWA@mail.axillis.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ActionId=00e0f2b4-e1f4-4242-8f5d-c560620dd162; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ContentBits=0; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Enabled=true; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Method=Standard; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Name=Confidential (C); MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SetDate=2023-11-16T13:46:21Z; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SiteId=906aefe9-76a7-4f65-b82d-5ec20775d5aa;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR11MB4351:EE_|SA1PR11MB6710:EE_
x-ms-office365-filtering-correlation-id: 3d6600b1-446c-4576-e5a8-08dbe6ac390d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: S8b2FKXsOLHRLvZqAwtrIr0v4vOCAfxyrmQQMhBOQDJiq8V7ibXNy02dvgTPoPILQmYiTkwCvwuKv26cXxG8L10zG4WmJsOHTHEHQTdMdgTVyQ4BZk+4L1L49zb8O0nnTbQGb8sTQWvbJXRrwsmIE7GezTIRWp2raaHmHtP3/dW3WL/Tqt5RdkGoyl6jOv6h/t2S9lrHJz18tes/IZx7zM5tg7vDwZJKR5QhlAoM8R27jugIg3F4OfmTQnqhs1TOuMp2LsENWGOCcMVjq0R8RfVa30qtcvDBpeNNnQMvX4FnjFjisf+KlZpyB84yj0zqvpY6t8Y8REWxsxX6SsSeqXGKrkWsLlwhftru1gVhWNE1u/cyKVyXSFOPOVh++rdYROupghoiTYk/ToMhArXaC27hYKsHdLTecCImcRyoOJa4NobOStlnDks+LmA2vm614R1441xs+rxxVEuj7+kRBlydzYt+94qR1qCJc1Hh5wxR4yFBdJl14sQYJ7aH9ciykZvIG+fOLABmqlmMctISHLsIWLPxVeuTM+bsrpj4DTLf5o8i5kUQxwna+yymRn4EBrfCXrsI4bcT/FASqbq/aa9hFE8vm97n5cAJXYEBUtjaCCG58hhpCPWqrGfW4lpRioFU8S+evbsNNDe+Dl65kg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(366004)(396003)(346002)(39860400002)(376002)(230922051799003)(64100799003)(1800799009)(451199024)(186009)(38070700009)(55016003)(478600001)(6506007)(71200400001)(122000001)(86362001)(7696005)(82960400001)(41300700001)(33656002)(38100700002)(9686003)(30864003)(2906002)(83380400001)(5660300002)(66446008)(64756008)(8676002)(316002)(76116006)(110136005)(45080400002)(53546011)(66476007)(66946007)(966005)(66556008)(8936002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8USU65jEV/ruk0EPKgD3Q9sSLBdiRL+yVKd5HzUmb+gyOsloykFENv+JUS2tPp0tP2jqJsHd4qrVfyV3CPtETEYXV9qZPrdRUFwwbdPd9CxNGN8amaac7gEKYd7FikzxUPlVxMrFvW1gZ3Kd182dDzAuwrrIxC072van3v2cVA/zEkk/PdrXh+r7aW+Jpga/ff2a7HGDbuuZevOs1cW6TA1VoYNAK8QairXkA4tpLqlWwvaSAe3zfuwRyUbgYlr3wTxu/VAYJOoh7AtydOQUDUARPNioLkUIGOIypE8xuh4gIRo/ShA1S+ZHrSf4Y9c8+KuMy3DdKf4K/eXodC0zUnxaOWrRocAk0IGZonc19W7sbrNpD05kfmhMkqyDm4vMnJmbd0i3Opm2N6IV43GFz6SDMPcsJ2Kg2cQQdLpXaeyKEqFl4KqdoERFzOXs/C2bycJw/pobu3XkKxANhq6DKgG8X+OqmI/U7DV1xW9iaNqOxCwX3sMMeiNU9VWUld6cTitsW7NUeYmuk6foz4R9bHMAU6gwmT86kIlkgNNqNOczM/a9E7tN+XM4s7vLtEITUiSw+4em+3jSfpMrgHawaQ4KVPt9Z+34OcIIC/8oqyb8AbvCEJqr7hrCwWcvdSQH9bVJy4PXZIYOZvteCn9HwA8JtbpB66WvF5bFkqvxMqTjMr0TBVIZ1CxX+OEmTEi0o37xCQ5oI8aloSCnPehxB/LBqq/M0K2sub2q0B+sFdo0Dof0wEDm06R00JxXBbw9greLADHvtAbpKtpNxhooqLKdu8Yl5X0jnGQ1W+NRKuwfo7r1VuhC/ni1xMsOjSdr20SE0aXhLo4OQvLCkuV1ciSzzCpS4D91XEBh6xrGwfCFJG+GavA43/8y+6RqxwcEriGnTto2+gttf6xb31OTolqjuUX6cMIB3ZNDM0bPUjDjdQvoIRxBF8MW5wH/C0w6I03Z669vMWuqsWrCWWi2Lg1m3Sj07jFu5rsmq5CF5d4O5Tt0krwGP6nkY1MP/VtFWStW6UD5izDnUDbEUGwRJLnuaqznSGehJGBOlYxVQfrwk4sX0B+Pe5wOpWxGA2dOptI4jOTnFKtB37tA+PhxoO//+5Gyoi91aj+oWRjkS0R3m06srLLDBJHXmxEbvk4x8lnhCAtuW8iMJ6/zQYhng0ecbD+wRquuNg8lawWHCzAG8FPz4qFX5j3yhNDyvtQjRbGslem/4/EiVjNWE2EvOdjyosfc/XQlcJy0UMYuBlwPyD7G0PMwgK+aE8sXYfbVmQCxFp3amvhkQ5v2Ev8ImDkMhr5taX/Pi/4lVov1zK7EEMpcIBoNV+b2OPxVXMkozqbZCbFJMnqWIMqvWONk8LAKYwbUB1RdFuWOET8qoJi8LJYOVWZxUQZ5er1nNPBOlO7p/blAXEsqBO39Bgiyvt9KjCcpKyUHTdE2vrHoDzrwzAmWVJjMQlEYrEduS4QXBf4EWRvEJWk6AnZ3p61GuSF3gAC0ibwnTDCHXdR0+p8hME9Wka8nQIbU7GTD4Qp2YeZIcJhzSjFRGUQF/bEaeud5UObqHhxghBGU63s4ovgBXD6dSYEbDffkO5gzsptAYyEN5VE7d+tuCUflsHwms3l3yjxf/SntpPqbuBPoKeJzgZlbHooblnAk7iTBCtDahbar5EUYd2I0b41S/sIuHw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: comcast.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4351.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d6600b1-446c-4576-e5a8-08dbe6ac390d
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2023 13:59:16.8533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TY6JXgPyun/LXDFrXpiRqC9CorYE5TB50ztvquknkxPR/5EE8XSPKERIJ3VPVig/9ZpO34kI5fqW+lw7sWD0qTnLhZsrS+SjT0x+sWAMun0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB6710
X-Proofpoint-GUID: YZ5WJwE_5veeZ6SjK00eN9Y-866tz5_D
X-Proofpoint-ORIG-GUID: YZ5WJwE_5veeZ6SjK00eN9Y-866tz5_D
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-16_13,2023-11-16_01,2023-05-22_02
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/lfWtM97FFd-khUbspbP_MZb1r6c>
Subject: Re: [Uta] SMTP TLS reporting (RFC 8460), policy domains and DANE
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2023 13:59:32 -0000

Mechiel,

TLSRPT is going to look for its information at _smtp._tls.<rcpt domain>.  That same <rcpt domain> should  be the policy-domain in the report.  The domain for the MTA-STS/DANE policies may be different such as you mentioned with DANE.  The MX for foo.com could point at mx.example.net.  The TLSRPT will look for policy at _smtp._tls.foo.com, but DANE will look at _25._tcp.mx.example.net.

-- 
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast
 

> -----Original Message-----
> From: Uta <uta-bounces@ietf.org> On Behalf Of Mechiel Lukkien
> Sent: Tuesday, November 14, 2023 9:39 AM
> To: uta@ietf.org
> Subject: [Uta] SMTP TLS reporting (RFC 8460), policy domains and DANE
> 
> Hi all,
> 
> I'm implementing (outgoing) SMTP TLS reporting (RFC 8460) in my mail server
> (https://urldefense.com/v3/__https://github.com/mjl-
> /mox__;!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4u
> XVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1juWS_PVpu$
> ) and am getting confused by TLSRPT's use of "domain"/"recipient
> domain"/"policy domain", especially related to DANE. It seems to me these
> concepts are getting mixed up.
> 
> Since TLSRPT is a companion document to MTA-STS, targeting MTA-STS has
> probably been its focus. MTA-STS specifies a policy for a recipient domain. But
> DANE policies are specified per mail hosts (typically MX target), not recipient
> domains. The terminology section about "policy domain" says:
> 
>    o  Policy Domain: The domain against which a TLSRPT, an MTA-STS, or a
>       DANE policy is defined.  For TLSRPT and MTA-STS, this is typically
>       the same as the envelope recipient domain [RFC5321], but when mail
>       is routed to a "smarthost" gateway by local policy, the
>       "smarthost" domain name is used instead.  For DANE, the Policy
>       Domain is the "TLSA base domain" of the receiving SMTP server as
>       described in Section 2.2.3 of RFC 7672 and Section 3 of RFC 6698.
> 
> Consider delivering a message to "user@recipientdomain.example". The
> recipient domain is "recipientdomain.example" (with an MTA-STS policy), an
> MX target could be "mx.recipientdomain.example" (the TLSA base domain
> with a DANE policy). Given the terminology section, I would think this would
> find a policy-typ "sts" at policy-domain "recipientdomain.example", and a
> policy-type "tlsa" at policy-domain "mx.recipientdomain.example". Since the
> terminology section for Policy Domain (above) says TLSRPT is defined against a
> policy domain, that means the operator of mx.recipientdomain.example
> should create a TLSRPT record at _smtp._tls.mx.recipientdomain.example to
> receive DANE-related TLS reports (along with one at
> _smtp._tls.recipientdomain.example for sts). That approach seems reasonable
> to me, but most of the RFC seems written with the idea that only a recipient
> domain would have a TLSRPT record/policy. And that's also how my initial
> prototype implemented it, with TLSA results gathered into
>   a report for the recipient domain. When I thought I was done implementing
> (after struggling with merging the various "sts", "tlsa" and "no-policy-found"
> results), and reading the RFC again, I found the terminology of "policy
> domain" (which feels like the correct approach to me) and changed the
> implementation to match its conceptual explanation. I haven't had a per-
> mailhost TLSRPT DNS record for long on my mail host, but haven't received a
> TLS report for it. I've only received 1 TLSRPT with a "tlsa" policy so far (along
> with the specified "sts" policy), from Microsoft, and it lists my recipient
> domain as the tlsa "policy-domain" (not the mx target which has the policy),
> so it seems they have an interpretation similar to what I initially had.
> 
> I'm left wondering what the correct and/or intended interpration is for
> recipient/policy domain, whether mail hosts should have their own TLSRPT
> policy DNS record, and what the expected "policy-domain" values are in TLS
> reports.
> 
> Below are some references to specific lines in the RFC related to
> policy/recipient domains. The RFC  is cross-referenced with the
> implementation, sometimes with todo-annotations. Aside: Is there a way to
> link to specific lines of an RFC at the datatracker or rfc-editor.org? I haven't
> found it yet.
> 
> Mentioning recipient domains in "Abstract":
> https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L2
> 9__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4uX
> VYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1jucfWS7K2$
> 
>    This document
>    describes a reporting mechanism and format by which sending systems
>    can share statistics and specific information about potential
>    failures with recipient domains.
> 
> This says the recipient domain "uses" DANE in "Introduction":
> https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L1
> 93__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4u
> XVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1jubyCcHZ5$
> 
>    Recipient domains may also use the mechanisms defined by MTA-STS
>    [RFC8461] or DANE [RFC6698] to publish additional encryption and
>    authentication requirements;
> 
> SMTP TLSRPT describes itself as sending reports to recipient domains, in
> "Related Technologies":
> https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L2
> 68__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4u
> XVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1juV85luFC$
> 
>    o  SMTP TLSRPT defines a mechanism for sending domains that are
>       compatible with MTA-STS or DANE to share success and failure
>       statistics with recipient domains.
> 
> Domain and policy domain in "Reporting policy", not recipient domain:
> https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L2
> 89__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4u
> XVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1juXE1NEK9$
> 
>    A domain publishes a record to its DNS indicating that it wishes to
>    receive reports.  These SMTP TLSRPT policies are distributed via DNS
>    from the Policy Domain's zone as TXT records [...]
> 
> Talking about recipient domain instead of policy domain in "Reporting policy":
> https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L3
> 78__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4u
> XVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1jueD9M9mL
> $
> 
>    If the number of resulting records is not one, senders MUST assume
>    the recipient domain does not implement TLSRPT.
> 
> The following may be talking about a recipient domain with an MX target equal
> to the recipient domain (or no MX record at all), in "Reporting schema":
> https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L4
> 62__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4u
> XVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1juQF7_ebn$
> 
>    Reporters may report multiple
>    applied policies (for example, an MTA-STS Policy and a DANE TLSA
>    record for the same domain and MX).  Because of this, even in the
>    case where only a single policy was applied, the "policies" field of
>    the report body MUST be an array and not a singular value.
> 
> The "policy-domain" field should be the domain the policy is defined against. I
> would say that's the MX target with the TLSA record for DANE. In "JSON
> Report Schema":
> https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L7
> 04__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4u
> XVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1juVlgzThd$
> 
>    o  "domain": The Policy Domain against which the MTA-STS or DANE
>       policy is defined.
> 
> Some more notes/feedback I wrote down while implementing:
> 
> - Implementors need to carefully handle combinations of sts vs no-sts and tlsa
> vs no-tlsa, and possibly combine those into a no-policy-found result. MTA-STS
> and DANE aren't mutually exclusive. What about just having policy results "no-
> sts" and "no-tlsa"? Seems more explicit to me and is easier to implement.
> There can also be cases where only some MX targets of a recipient domain
> have a DANE policy.
> - Since detecting injected MX targets is one of the goals of MTA-STS, I would
> expect a specific result type for when an MX target does not match the policy,
> but it seems missing. I think "certificate-host-mismatch"
> (https://urldefense.com/v3/__https://www.xmox.nl/xr/dev/rfc/8460.html*L
> 541__;Iw!!CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4
> uXVYoL2HXiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1jucKTnjK1$
> ) is about the TLS connection and certificate (a TLS connection will not be made
> when a MX target doesn't match the policy). Similarly, a result type for "none
> of the TLSA records match" seem like a relatively likely failure case and could
> have its own result type.
> - I think more fields in the failure details should be optional. SMTP IPs and/or
> MX hostnames aren't always in play, e.g. when reporting on MTA-STS policy
> fetch/parse or TLSA lookup failures. While the RFC is called "SMTP TLS
> reporting", it is also reporting about MTA-STS and DANE policies without TLS
> involved yet.
> - A "TLS-Required: No" header from the Require TLS RFC can cause a
> verification failure to be ignored. I think it's still useful to report failure details,
> but the connection would succeed. How this case should be reported could be
> up for discussion.
> - I don't submit TLS reports to HTTPS reporting addresses because I don't see a
> way the receiver can authenticate and use them. Report messages must have
> a DKIM signature (I'm sending it with d= exact/strict host name, but accept
> domains up to the public suffix domain for incoming reports, I think the RFC
> requires the exact match). But reports submitted over HTTPS seem to be just
> the JSON (optionally with gzip). Submitting a report _message_ over HTTPS,
> with DKIM signature, could solve the problem. I think the RFC could be stricter
> with its use of "report" (the JSON document) vs "report message" (email
> message with a report as attachment).
> 
> Cheers,
> Mechiel
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/uta__;!!
> CQl3mcHX2A!D9Xu1BLWleyttI4TKEApW7sBSYzIfWJXnKC9vokcSZ4uXVYoL2H
> XiO0qvrZG0g8RwCGcIqNor_UY3c1kfSAv8a2QOOTA9F1juR-QrKQn$

v2.23.0 | Report a Bug | By Email