On 7 Jan 2019, at 7:25 pm, Viruthagiri Thirumavalavan
<giri(_at_)dombox(_dot_)org> wrote:
Hello Everyone,
I have proposal for SMTPS. Already gathered some feedback from UTA working
group and improved my draft.
My proposal is a very simple document. So, please go though it and give me
feedback if you can.
Here is my abstract.
---------
SMTP is still suffering from downgrade attacks like STRIPTLS. While we have
"Opportunistic TLS", we still don't have "Implicit TLS" in the SMTP. Don't
get me wrong.. We do have "Implicit TLS" for "SMTP Submission" on port 465.
But we don't have a secure port 25 alternative. i.e. The real SMTPS
Both MTA-STS and MTA-DANE tries to fix the STARTTLS downgrade issue. However
the implementation is not simple. The former requires a HTTPS server and the
latter requires DNSSEC.
Are you saying that generating a TLSA records is hard? There are plenty of
tools available for that.
e.g. https://www.huque.com/bin/gen_tlsa
Are you saying DNSSEC is hard? Really? Have you tried to publish a signed
zone lately?
Create 2 keys one of which has the KSK flag set.
dnssec-keygen -A RSASHA256 -b 4096 -K /var/named/keys -f KSK example.net
dnssec-keygen -A RSASHA256 -b 4096 -K /var/named/keys example.net
and in named.conf you tell named to where to find the keys and to sign the zone
maintaining the RRSIG records. With a 4096 bit RSA key you really don’t need
to roll the DNSKEYs ever.
options {
key-directory "/var/named/keys”;
};
zone example.net {
type master;
file “/var/named/master/example.net.db”;
auto-dnssec maintain;
inline-signing yes;
};
Once that is setup you add DS records to the parent zone which is no harder
than adding NS records.
It’s the same or simpler level of complexity with other name server
implementations.
Add to that most (>50%) of the DNS responses on the planet are being DNSSEC
validated today even if the result of that validation is insecure, there is no
way to say DNSSEC should be seen as a reason
to invent a new method.
Sorry, "DNSSEC is HARD" is a MYTH. DNSSEC isn’t deployed is a MYTH. It’s come
a long way from having to manually re-sign the zone with external tools
periodically. Just because your favourite registrar or DNS hosting service has
been asleep at the wheel for a decade doesn’t make it hard, it just means you
need to switch to someone that wants your business and implements todays DNS
and not that of the 1980’s.
And name servers can even return most the records the MTA needs in a single
query.
[beetle:bin/tests/system] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.
; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10869
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 0cc82edbe25fb743b37327535c35380e644e065163baae04 (good)
;; QUESTION SECTION:
;isc.org. IN MX
;; ANSWER SECTION:
isc.org. 6793 IN MX 10 mx.pao1.isc.org.
isc.org. 6793 IN MX 20 mx.ams1.isc.org.
isc.org. 6793 IN RRSIG MX 5 2 7200 20190206233314
20190107233314 19923 isc.org.
UBu26XwokUyCwZvBzp5+kajy686RF4cdA/Un3Z3vtEARG8qx0hQfHoTk
lGfGPkt21QdZmqX+ZJcdO3LfA+qU9A3aEJMXZi9aMZkPDWu1aPsJBu6U
3U3Tj9j+DsqL2Uk780TAqQQQWFUwIHF+y0hcRIWPaqUuvygl/5jxdVDN Mls=
;; ADDITIONAL SECTION:
mx.pao1.isc.org. 3195 IN A 149.20.64.53
mx.ams1.isc.org. 3199 IN A 199.6.1.65
mx.pao1.isc.org. 3195 IN AAAA 2001:4f8:0:2::2b
mx.ams1.isc.org. 3200 IN AAAA 2001:500:60::65
mx.pao1.isc.org. 3195 IN RRSIG A 5 4 3600 20190206233333
20190107233333 13902 pao1.isc.org.
WrDcCGC0SmNUSh+DBxogVXWU2PQVpJ/6S/WJxpU4fLDpI+0J85aep+e1
NwZRUuw9N5RRuslQSz0y+aiwB0RACq2wbPUxDem21KpzKE8rlrAlf0U9
k9sT1PeCkWu7QOiWgEksnoJijyCVY41Q/GB0HnWzaO4jUtay6e/PBj4c IiA=
mx.pao1.isc.org. 3195 IN RRSIG AAAA 5 4 3600 20190206233333
20190107233333 13902 pao1.isc.org.
EaYgxAGrmJ9oiX4u2DfIcHKCqen3RNGylmWT0VjJ8VWY5e/c5TA1eI5U
evGsvYhvLD4WvR8hzvKxp4Pc5EYKLoB+YRI4ttUgnTydsEI0xFCcgB4+
dFb+89h8e6tHSPhUa1wa7ObriKm1O5FzplEXLfNFbgEUN6oJOIMw7q8w cC8=
_25._tcp.mx.pao1.isc.org. 3197 IN RRSIG TLSA 5 6 3600 20190206233333
20190107233333 13902 pao1.isc.org.
liSDcLgGpDXqgTxkv2sQBI3OsACPflpxoZxcrgSge4yTe5gA97NOPe0l
ECmDBPzUkhcRI6Mwv+uBCmm5FBvgh0leNxLXzACdkCX8EscE3v74wd5o
ReCRGFAhV6TBjycwejkGARVTYF23RyRflq2/fRV2hoOdH2ImcW7/SMqA 8Jg=
mx.ams1.isc.org. 3199 IN RRSIG A 5 4 3600 20190206233315
20190107233315 5730 ams1.isc.org.
E+6nzEbFAcftlr3UTaCcw0LAHYIdVe5TNfyIwVwU71AzZB22jiif/BrQ
KxemOrR7LT7ukfDRjnEzfV1/s0Wwfxh0b79otxrDwssKzNKz9XhaIhVf
j17oyuQBkYjYv5RBuwsrmKQmSbu56Zu7G35xp2qbKi6E+3lpXPghnrnJ DBk=
mx.ams1.isc.org. 3200 IN RRSIG AAAA 5 4 3600 20190206233315
20190107233315 5730 ams1.isc.org.
ov/6HUTx8v7t31KBYVgDy02Bpe8rJX431vPDdRZvKKhffFrYmUOIXEqD
Q/3+DNV1axSJCTONJ1NwzoSC8LDwQQFUcAsXnhcW/C/Z3rbaEthetmmP
TERuRGjF3QdA+qFM8RCc83s+hp1RXo5cU+9wA8OTPT5nTmfthkDs/cUi 0o8=
_25._tcp.mx.ams1.isc.org. 3202 IN RRSIG TLSA 5 6 3600 20190206233315
20190107233315 5730 ams1.isc.org.
qdzOyIbkPhufqw6/B5bwpxJ0pfVeUay2v8O5spUa+xgHdLQFNS851vlW
KOYrNfZALDomXkOyfAVTEZXQ1g3xf0gzIcRCy0PHcgDtgl5a56AilFGB
n6LZVkh6lbAkQ8lSmlKWmOvAmJnXh6L6dX8/CQzpWT7G0EEL1EcvLW6p uZ0=
_25._tcp.mx.pao1.isc.org. 3197 IN TLSA 3 0 1
71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0
_25._tcp.mx.ams1.isc.org. 3202 IN TLSA 3 0 1
5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 09 10:53:50 AEDT 2019
;; MSG SIZE rcvd: 1555
[beetle:bin/tests/system] marka%
This draft is not needed. ALL IT DOES IS MAKE MORE WORK MTA IMPLEMENTERS AND
OPERATORS.
DO NOT PROCEED!!!!!!!!!!!!!!
This document propose a new port 26, an "Implicit TLS" alternative for port
25 and recommends the MX server to signal the port via a prefix.
e.g. mx1.example.com should be prefixed like smtps-mx1.example.com.
Where "smtps-" says "We prefer if you connect to our SMTPS in port 26. But we
also accept mails in port 25. And our port 25 supports Opportunistic TLS. So
if STARTTLS command not found in the EHLO response or certificate is invalid,
then drop the connection".
--------
Thanks
--
Best Regards,
Viruthagiri Thirumavalavan
Dombox, Inc.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp