Suggestion for the MTA-STS specification: Section 8.2 describes how to setup MTA-STS when using an email provider such a Google (G Suite).
This involves creating a TLS certificate for mta-sts.example.com <http://mta-sts.example.com/> and either setting up a reverse proxy or giving the certificate to the email hosting provider. Even with free Letsencrypt certificates, this is rather cumbersome and has many moving parts. It would be handy if the domain owner of example.com <http://example.com/> could delegate the MTA-STS policy in a simpler way. I appreciate that MTA-STS is supposed to work in scenarios where using DNSSEC is not possible/desired. However, in scenarios where the domain owner _does_ use DNSSEC email but the email provider (e.g. Google) _does not_, DNSSEC could be used as a way for the owner of example.com <http://example.com/> to sign the delegation instead of using a HTTPS web server. It could be implemented like this: A new field for the _mta-sts TXT record, “delegate” (or “d” to make it as short as possible), is introduced, e.g. "delegate=google.com <http://google.com/>". If present, the mail server should fetch the policy from https://mta-sts.google.com/.well-known/mta-sts.txt <https://mta-sts.google.com/.well-known/mta-sts.txt> instead of https://mta-sts.example.com/.well-known/mta-sts.txt <https://mta-sts.example.com/.well-known/mta-sts.txt>. The "delegate" field should be ignored, unless the _mta-sts.example.com <http://mta-sts.example.com/> TXT record is signed with DNSSEC. A domain owner who wants to implement MTA-STS would simply have to create a CNAME alias for _mta-sts.example.com <http://mta-sts.example.com/> pointing to the _mta-sts TXT record of the email provider, e.g. _mta-sts.google.com <http://mta-sts.google.com/>(assuming Google’s record contains “delegate=google.com <http://google.com/>” the string). Or instead of a CNAME, the domain owner could create a regular TXT record like this: "v=STSv1; id=20171114T070707; delegate=_mta-sts.google.com <http://mta-sts.google.com/>”. This method also reduces the risk of downgrade attacks considerably, because the MTA-STS policies of large email providers such as Google are more likely to be cached by the sending MTA than the policies of domains owned by small companies and individuals. What do you think of this? Christian Schmidt PS: I apologise if you get this twice. I posted the email a few days ago, but apparently it was never sent to the mailing list.
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
