<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Having been through this many times,
I'd say that probably the best way to advocate for something is to
advocate for what the *problem* is much more than what the
*solution* is. Invariably, things are more complex than we imagine
in the solution space and the people who inhabit that space are
more than happy to inform you of it.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Writing an I-D on what the problem is
can be a very useful exercise to rally support without putting on
a bullseye on your back about a solution. I will say that
downgrade attacks are taken seriously by the security geeks I
know. But everything is messy, especially with something as
ancient as email so listening is a virtue too.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Which isn't so say that running code is
bad -- it's one of the best things about ietf -- but people have
to understand why it's running at all :)<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Mike, one of the authors of rfc 4871<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 1/11/19 9:38 AM, Viruthagiri
Thirumavalavan wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAOEezJQ0mJYvKW=SdbbE4ZC2Vx6_9FD5Z0SpkF2840r580vZ5w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div>Hello NANOG, Belated new year wishes.</div>
<div><br>
</div>
<div>I would like to gather some feedback from you all.</div>
<div><br>
</div>
<div>I'm trying to propose two things to the Internet Standard
and it's related to SMTP. </div>
<div><br>
</div>
<div>(1) STARTTLS downgrade protection in a dead simple way</div>
<div><br>
</div>
<div>(2) SMTPS (Implicit TLS) on a new port (26). This is
totally optional. </div>
<div><br>
</div>
<div>I posted my proposal in IETF mailing list. I got very
good feedback there. Some support my proposal. Many are
against it.</div>
<div><br>
</div>
<div>I would love to know where you stand on this proposal.
Let me give you the abstract first.</div>
<div><br>
</div>
<div>-----</div>
<div><br>
</div>
<div>SMTP is still suffering from downgrade attacks like
STRIPTLS. While we have "Opportunistic TLS", we still don't
have "Implicit TLS" in the SMTP.</div>
<div><br>
</div>
<div>Don't take this in the wrong way. We do have "Implicit
TLS" for "SMTP Submission" on port 465. But we don't have a
secure port 25 alternative. i.e. The real SMTPS</div>
<div><br>
</div>
<div>Both MTA-STS and MTA-DANE tries to fix the STARTTLS
downgrade issue. However the implementation is not simple.
The former requires a HTTPS server and the latter requires
DNSSEC to even get started.</div>
<div><br>
</div>
<div>This proposal fixes STARTTLS downgrade issue and propose
a new port 26, an "Implicit TLS" alternative for port 25 and
recommends the MX server to signal the port via a prefix.</div>
<div><br>
</div>
<div>This proposal offers two ways.</div>
<div><br>
</div>
<div>(1) STARTTLS Prefix</div>
<div><br>
</div>
<div>Use this prefix only to deal with STARTTLS downgrade
issue.</div>
<div><br>
</div>
<div>e.g. <a href="http://mx1.example.com"
moz-do-not-send="true">mx1.example.com</a> should be
prefixed like <a href="http://starttls-mx1.example.com"
moz-do-not-send="true">starttls-mx1.example.com</a>.</div>
<div><br>
</div>
<div>Where "starttls-" says "Our port 25 supports
Opportunistic TLS. So if STARTTLS command not found in the
EHLO response or certificate is invalid, then drop the
connection".</div>
<div><br>
</div>
<div>(2) SMTPS Prefix</div>
<div><br>
</div>
<div>Use this prefix if you wanna support Implicit TLS on port
26 and Opportunistic TLS on port 25.</div>
<div><br>
</div>
<div>e.g. <a href="http://mx1.example.com"
moz-do-not-send="true">mx1.example.com</a> should be
prefixed like <a href="http://smtps-mx1.example.com"
moz-do-not-send="true">smtps-mx1.example.com</a>.</div>
<div><br>
</div>
<div>Where "smtps-" says "We prefer if you connect to our
SMTPS in port 26. But we also accept mails in port 25. And
our port 25 supports Opportunistic TLS. So if STARTTLS
command not found in the EHLO response or certificate is
invalid, then drop the connection".</div>
<div><br>
</div>
<div>In "starttls-" prefix port 25 <b>MUST</b> support
encryption with <b>valid SSL</b> certificates.</div>
<div><br>
</div>
<div>In "smtps-" prefix, <b>BOTH</b> port 26 and port 25 <b>MUST</b>
support encryption with <b>valid SSL</b> certificates.</div>
<div><br>
</div>
<div>Note: You need to enable DNSSEC to prevent MX record
spoofing. My proposal highly recommends DNSSEC. Not mandates
that. </div>
<div><br>
</div>
<div>-------</div>
<div><br>
</div>
<div>What IETF Mailing list thinks? - "Implicit TLS doesn't
offer any additional security than a downgrade protected
STARTTLS. Let's not waste a port."</div>
<div><br>
</div>
<div>What I think? - Implicit TLS still fall under the "best
practices". So it will send out the positive vibe that IETF
still cares about email security. </div>
<div><br>
</div>
<div>What the world thinks? - <a
href="https://gist.github.com/mistergiri/138fc46ae401b7492662a32409edb07f"
moz-do-not-send="true">https://gist.github.com/mistergiri/138fc46ae401b7492662a32409edb07f</a></div>
<div><br>
</div>
<div>What do you all think? - <a
href="https://medium.com/@dombox/smtp-over-tls-on-port-26-efc67e8a99ce"
moz-do-not-send="true">https://medium.com/@dombox/smtp-over-tls-on-port-26-efc67e8a99ce</a></div>
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">Best Regards,
<div><br>
<div>Viruthagiri Thirumavalavan</div>
<div><span style="font-size:12.8px">Dombox, Inc.</span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>