Rather than use a hostname to specify SMTPS only, how about a DNS TXT
record to indicate SMTPS only?
And if that DNS TXT record exists, rather than waste a < 1024 port
number, just have the MTA client use Port 25 with STARTTLS required.
Then it is just like MTA-STS except w/o the HTTPS component that secures
the MX record.
But bottom line is to be RFC compliant, an MX host MUST accept on Port
25 without encryption.
The MTA client decides whether or not it wants to send without an
encrypted session, the server MUST accept if the client chooses to
connect without encryption.
The MX server already has two different ways it can advertise to MTA
clients they can safely require the connection to be secure, DANE for
SMTP and MTA-STS. Both of those ways secure the MX record.
All you proposal seems to be offering is MTA-STS without a mechanism to
secure the MX records.
I'm perfectly with the recommendation that MTA clients require a secure
connection if the DNS component of MTA-STS is present but the HTTPS
component is not there.
In fact I'm perfectly fine with MTA clients that refuse connections that
do not offer STARTTLS regardless of whether the other server offers
MTA-STS or DANE.
I already do that! On web servers that are MTA client only. When a
web-app user does a password reset, or anything else web-app account
related, I do not want it modified in transit allowing easy NSA (or
other) phishing access. So the receiving MX supports STARTTLS or the
message is not sent.
I don't need a different port number for that. And honestly it has never
been a problem, never had a user account use an e-mail where the MX
server did not offer STARTTLS. I'm sure they exist, but are not common.
I just don't see a need for what is proposed. I do not understand the
problem it solves. And securing the MX record (via DNSSEC or MTA-STS) is
something that SHOULD be encouraged, whether or not you are aware of
helicopters (helicopters is reference to link that argues DNSSEC isn't
really needed because some military Generals didn't like technology that
shot down helicopters)
On 1/7/19 12:19 AM, Viruthagiri Thirumavalavan wrote:
Hey all, revised my draft based on the feedback I received from this
thread.
Changelog:
* Added starttls only support.
* Provided test cases for IDN names.
* Included Jim Fenton's proposal in the related projects section.
* No port hardcoding. Removed 26pref and 26only options. Now MX hosts
can start with either "smtps-" or "starttls-" prefix
* Solution can be used along with STS and DANE
https://gist.github.com/mistergiri/a4c9a5f1c26fd7003ebc0652af95d314
Thanks
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
