Maybe better, I do not know. I do not know right place to recommend
this, I hope it is not too out of place here.
Opportunistic TLS is a concept I do not like. DANE fixes the issues for
system admins willing to implement DNSSEC and add a TLSA record but it
seems many are not, so MTA-STS was invented.
MTA-STS has the same flaw as opportunistic TLS. It uses an insecure
channel to determine if it should use a secure channel.
If Mallory can eavesdrop and MITM the message from Alice to Bob, then
Mallory can likely alter the DNS responses and thwart MTA-STS either by
saying the needed DNS record for MTA-STS does not exist, and possibly
doing the same for the A/AAAA records for the specified subdomain used
for MTA-STS if the server checks them anyway.
A better solution is to bring back Port 465 and SMTPS.
When Alice connects to Bob on Port 465, the certificate MUST validate in
one of two ways:
A) DNSSEC validated TLSA record
B) Trusted CA with Certificate Transparency and OCSP stapled
If a DNSSEC validated TLSA record exists, then either it validates or
the connection drops and bounces as undeliverable.
If no DNSSEC secured TLSA record exists, then B is used. Failure to
validate likewise results in message undeliverable.
Port 25 is only used if Port 465 is not listening *and* no TLSA record
exists for Port 465.
For servers that do not use DNSSEC, they can optionally send a response
on first successful to Port 465 telling the client to never connect via
Port 25 similar to how HSTS works, so that if a future attack blocks
Port 465, Port 25 would not be tried until X days had passed.
This solution takes opportunistic completely out of the equation for
servers that use DANE and for servers that don't use DANE, allows them
to send a command upon first successful connection that takes future
opportunistic out of the equation.
The *only* think MTA-STS does for non DNSSEC users that this doesn't do,
MTA-STS does provide a somewhat secured list of MX hosts, but only if
the A/AAAA record response is not modified by the attacker.
If this has merit, who do I submit it to?
