On 1/5/19 9:54 PM, Grant Taylor wrote:
On 1/5/19 10:28 PM, Alice Wonder wrote:
Requiring TLS is pointless if the MX record is not secure.
I'm inclined to disagree. - I see value in requiring TLS via STARTTLS
even if the MX record wasn't secured. - I say inclined because I can't
articulate the combinations of unmodified / modified MX record in
conjunction with all the other possibilities that connections can be
tampered with. Be it hijacking / route poisoning / simply filtering out
STARTTLS but not altering anything else.
It would only help with passive attacks. The MX host is quite often
completely unrelated to the mailbox domain, so if you cam MITM the DNS
query you can feed it any MX answer you want that has a PKI validating
certificate and the MTA client has no reason to reject it.
That's why MTA-STS needs the https component, to secure the MX record
when DNSSEC is not used to do so.
When DNSSEC is used, DANE then is better at securing the connection so
MTA-STS is only needed when the server and/or client do not support
DANE for SMTP.
I disagree.
I believe the value of MTA-STS (and HSTS) is the ability to signal that
SMTP (HTTP) should -ONLY- be conducted over a secure connection via
STARTTLS (TLS). Meaning that SMTP (HTTP) should fail if there isn't a
secure connection.
Right, but SMTP does not involve a human user to look at the MX response
and see that it makes sense. The MX record is accepted as valid. DNSSEC
and the https component of MTA-STS provide two different approaches for
the MTA client to programmaticly validate the MX response.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
