ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] DANE penetration for MTA/MTA interactions

2021-03-24 19:47:50
from [Viktor Dukhovni] [Permanent Link] 
On Thu, Mar 25, 2021 at 12:03:25AM +0000, Richard Clayton wrote:


The only other game in town is MTA-STS, which is a Rube Goldberg
contraption with DNS text records, long-term policy caches, HTTPS
services and having to duplicate MX records outside of DNS.  It isn't
gaining broad traction beyond the large providers.


Indeed ... but it fixes the actual real world problem which the large
providers have


That's fine, I don't begrudge them that choice.  I even helped with
crafting the specification.  But since I am not a fan of centralised
email, I think it is healthy to have a cleaner design that isn't
primarily tied to the short-term needs of the largest providers.

In terms of breadth of adoption (number of supporting inbound inbound
domains and MTAs) DANE is presently competing favourably with MTA-STS.

    $ curl -sLo - https://mta-sts.outlook.com/.well-known/mta-sts.txt
    version: STSv1
    mode: testing
    mx: *.olc.protection.outlook.com
    max_age: 604800

    $ curl -sLo - https://mta-sts.yahoo.com/.well-known/mta-sts.txt
    version: STSv1
    mode: testing
    mx: *.am0.yahoodns.net
    mx: *.mail.gm0.yahoodns.net
    mx: *.mail.am0.yahoodns.net
    max_age: 86400

So it looks like the MTA-STS club in the USA is Google and Comcast:

    $ curl -sLo - https://mta-sts.comcast.net/.well-known/mta-sts.txt
    version: STSv1
    mode: enforce
    mx: mx1.comcast.net
    mx: mx2.comcast.net
    max_age: 2592000

    $ curl -sLo - https://mta-sts.gmail.com/.well-known/mta-sts.txt
    version: STSv1
    mode: enforce
    mx: gmail-smtp-in.l.google.com
    mx: *.gmail-smtp-in.l.google.com
    max_age: 86400

with Microsoft and Yahoo still not live with the spec 2.5 years old.


It never made sense.  Just do STARTTLS if unverified DNS is good
enough, so are unverified certificates.


There's a growing literature on why security standards are widely
adopted (and why so many fail) along with a pretty good understanding of
what levers are available ... 


Some of it is perhaps even reflected in RFC7435.  Again, we have
STARTTLS, that's the cake.  DANE and MTA-STS are icing.

-- 
    Viktor.

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] DANE penetration for MTA/MTA interactions, Richard Clayton
Next by Date:  Re: [ietf-smtp] DANE penetration for MTA/MTA interactions, Viktor Dukhovni
Previous by Thread:  Re: [ietf-smtp] DANE penetration for MTA/MTA interactions, Richard Clayton
Next by Thread:  Re: [ietf-smtp] DANE penetration for MTA/MTA interactions, Viktor Dukhovni
Indexes:  [Date] [Thread] [Top] [All Lists]