Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 12 April 2018 02:23 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D14312D88F; Wed, 11 Apr 2018 19:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jj54G9BLcIt3; Wed, 11 Apr 2018 19:23:13 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEA9C12D88A; Wed, 11 Apr 2018 19:23:12 -0700 (PDT)
Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 827E77A3309; Thu, 12 Apr 2018 02:23:11 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAKHUCzyOUqsONrxSLOXk9wZrUCRiBTw6mrHPsHkYQk87DyV0HA@mail.gmail.com>
Date: Wed, 11 Apr 2018 22:23:10 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: "ietf@ietf.org Discussion" <ietf@ietf.org>, uta@ietf.org
Message-Id: <3D9206C8-925A-4993-83BA-587E1CA8E0FC@dukhovni.org>
References: <CAKHUCzwes5vHjBSDqYXkvGRCGPeSPnqNgsJ2J_tDzF2FG+RuMg@mail.gmail.com> <FFB5B96A-E0BA-47D6-987F-245C7243012C@dukhovni.org> <CAKHUCzyOUqsONrxSLOXk9wZrUCRiBTw6mrHPsHkYQk87DyV0HA@mail.gmail.com>
To: "ietf@ietf.org Discussion" <ietf@ietf.org>, uta@ietf.org
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/uxGOBvoDdbY8NP1RwQx9VLVu4jU>
Subject: Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 02:23:15 -0000
> On Apr 11, 2018, at 6:52 PM, Dave Cridland <dave@cridland.net> wrote: > > Well, one assumes that an MTA gives out the policy for the MTA, not the domain, but otherwise I take your points. I don't think that we'd end up in a place markedly different, with the exception that it'd be MTA policy rather than domain policy. Unfortunately, per-MTA rather than per-domain policy entirely loses all protection against active attacks when the MX RRset is not secure. The MiTM just forges the MX RRset, yielding new hosts for which no policy is stored. >> For the record, I'd still rather see the providers in question implement DANE, and this should be increasingly doable as they move their email servers to dedicated domains (e.g. in Google's case many new customers are on googleemail.comMX hosts, rather than the legacy aspmx.l.google.com et. al.). So I see STS as a transitional technology that buys time. I am not advocating STS, but I recognize that there's an operational reality that makes DANE difficult for the large providers at present. > > I can sympathise with that, but MTA-STS is not built as a transitional technology. Time will tell. Either approach may yet fail to gain much traction. So, yes, we can't assume that MTA-STS is transitional, that's mostly how I like to think of it... >> The reason for MX patterns is to avoid the operational pain of having to always update one's MX RRset in two places (in DNS and on a web server). A domain with an MX RRset >> of the form: >> >> example.com. IN MX 0 mx1.mail.example.com. >> example.com. IN MX 0 mx2.mail.example.com. >> >> would be able to specify a stable MTA-STS policy of: >> >> mx: .mail.example.com. >> >> and later change the MX RRset to: >> >> example.com. IN MX 0 mx1.mail.example.com. >> example.com. IN MX 0 mx2.mail.example.com. >> example.com. IN MX 0 mx3.mail.example.com. >> example.com. IN MX 0 mx4.mail.example.com. >> >> without having to update the MTA-STS policy. > > If we assume that the MTA-STS document will always be created manually. But the only POSH-supporting provider I could find generates the POSH JSON document for their customers; it's trivial for a provider to do. There will be all kinds of implementations, and all kinds of ways for operators to mess up their deployment. Making it easier to not mess up has a very high priority from my perspective. Overly brittle security gets turned off. > I genuinely feel that matching a pattern against another pattern is introducing an unnecessary complexity into a security protocol. This is not difficult, OpenSSL has supported this type of peername matching for some time, with the API simplified in 1.1.0: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_hostflags.html https://www.openssl.org/docs/man1.1.0/ssl/SSL_add1_host.html For MTA-STS one would call: /* XXX: make sure policy has at least one reference id ("mx" value) */ SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL /* callback */); SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS); for (i = 0; i < reference_id_count; ++i) { int ok; if (i == 0) ok = SSL_set1_host(ssl, reference_id[i]); else ok = SSL_add1_host(ssl, reference_id[i]); if (!ok) { /* handle error */ } } /* * XXX: Perform SSL_connect() handshake and handle errors here * If unverified handshakes are allowed to continue, then the * the verify resolt below may not be X509_V_OK... */ if (SSL_get_verify_result(ssl) == X509_V_OK) { const char *peername = SSL_get0_peername(ssl); if (peername != NULL) { /* Name checks were in scope and matched the peername */ /* This should always be the case with MTA-STS */ } } else { /* Handle unverified peer */ } > In any case, if the MX RRset changes in that way, an administrator has to check each certificate to see what the dNSNames are anyway, surely? Only if they don't already know that what's in the policy. If their design has a fuzzy MTA-STS policy of ".mail.example.com" and their operational practice is to always name MX hosts "mx<N>.mail.example.com" for some value of <N>, then they don't need to check anything when adding or removing MX hosts. -- Viktor.
- [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> … The IESG
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- [Uta] Digression on DANE for MTAs implementation … Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Daniel Margolis