Tony Finch wrote:
I have just submitted an I-D describing how to use DANE with SMTP. All
comments welcome.
Hi Tony,
I think an example should be added to make it clear what an possible
implementator would be considering. Showing maybe where similar
idea(s) is applied now.
So if I read your document right, please correct, this would be akin
to a BROWSER (interactive client) doing a "Common Name" check.
If so, I seem to recall some SMTP clients, interactive clients as with
a MUA, also doing a popup for the user, but I may lumping that with
our own wcSMTPJr client we provide as a command line tool for sending
a message, usually for testing. which has an option to check the
"common name" is the same as the host provide to connect.
Here an example run:
D:\local> wcsmtpuser /site:mail.winserver.com
wcSmtpUser 3.1 (c) 2004-2010 SSI (/? for help)
- ini file : wcsmtpuser.ini
- ini section : mail.winserver.com
- server name : mail.winserver.com
- user name : hector.santos
- use ssl : YES
- auth method : 1
* connecting to 208.247.131.9:25
S: 220-winserver.com Wildcat! ESMTP Server v6.4.454.1 ready
S: 220-************** WARNING: FOR AUTHORIZED USE ONLY!
**********************
S: 220-* THIS SYSTEM DO NOT AUTHORIZE THE USE OF ITS PROPRIETARY
COMPUTERS *
S: 220-* AND COMPUTER NETWORKS TO ACCEPT, TRANSMIT, OR DISTRIBUTE
UNSOLICITED *
S: 220-* BULK E-MAIL SENT FROM THE INTERNET. THIS SYSTEM WILL RESTRICT
ACCESS *
S: 220-* TO CAN-SPAM (US S. 877) COMPLIANT CLIENTS ONLY.
*
S: 220
************************************************************************
C: EHLO hdev20.santronics.com
S: 250-winserver.com, Pleased to meet you.
S: 250-SIZE 10240000
S: 250-8BITMIME
S: 250-SUBMITTER
S: 250-ETRN
S: 250-AUTH CRAM-MD5 LOGIN PLAIN PLAIN-MD5 SHA-1
S: 250-AUTH=LOGIN
S: 250-HELP
S: 250 STARTTLS
C: STARTTLS
S: 220 Ready to start TLS
** SSL Negotiated session
** Certicate Information File: secure.winserver.com.cert
** CERT Common Name : secure.winserver.com
** CERT Organization: secure.winserver.com
** CERT Valid Until : Dec 27 18:55:51 2012 GMT (Days Left: 214)
** CA Country : US
** CA Organiziation : GoDaddy.com, Inc.
** CA Common Name : Go Daddy Secure Certification Authority
!! connection domain : mail.winserver.com
!! common name : secure.winserver.com
!! Certificate CONNECTION DOMAIN and COMMON NAME mismatch! Accept? Yes
or No?
My MX is mail.winserver.com but I have been using our
secure.winserver.com sub-domain for the SSL certificate.
wcSMTPjr has three options (per host section):
Cert.Expired.Allow=0 # cert expiration check
Cert.NoMatch.Server.Allow=0 # CN vs connecting host check
Cert.NoMatch.Host.Allow=1 # CN vs PTR records of IP check
So if the above make sense, how does this DANE-SMTP proposal help me,
as an example like including the TLSA record that needs to be created?
I guess, if anything else, there are two client suggestions to highlight:
- Automated MTA (router)
- Interactive MUA smtp client
Like RFC5321 provides insight here, only with an MUA-SMTP client can
you do "human" confirmation checks or graceful aborts without losing
the message. The MUA-SMTP client may fail to send the message if any
55x is issued, like with a RCPT TO command. But with a MTA router, it
continues.
Make sense?
Thanks
--
HLS