Re: [mailop] SMTP TLS Reports for forged senders.
Thanks Of course, that makes sense. I mixed that up because there are so few even sending reports. As of yet there were no negative ones incoming ever. So someone else is attempting to TLS connect us and reports about that. Because from the same report sender comes a dmarc report in the same time vicinity of the tls report, that someone else not on the spf list is sending mail on our behalf. Then that tls report is just related to the tls connection of them sending their dmarc report. Holy fiddly backscatter batman. I am not convinced if I like this reporting stuff. But it is kind of the only reasonable complement to dns based tags on tls availability I could think of either. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
On Sun, Nov 17, 2024 at 10:09:59PM +, Andrew C Aitchison via mailop wrote: > > There is active work on TLSRPT support in Postfix, if this sees > > non-trivial adoption, the volume of reports [may] go up a bit. > > Thanks. I'm thinking about adding these reports to/for Exim. > Is https://www.postfix.org/TLSRPT_README.html a good plce to start ? Yes, but also reach out to Patrick Koetter, who chimed in on this thread. The folks at sys4.de are driving the project, with Wietse doing the Postfix MTA integration, and sys4 developing the reporting engine that receives the MTA connection status info and generates reports as/when appropriate. > Since much of the work is done daily, maybe it doesn't happen in the MTA > itself; is there is potential to share some parts ? If it is possible, and you're willing, to adopt the same status notification format, sure sharing the back end might benefit both the Postfix and Exim communities. Exim is after all (IIRC) still using my dated code for DANE cert validation over OpenSSL. Though with OpenSSL 1.0.2 long in the rear-view mirror, this might also be a good time to switch to the native OpenSSL DANE support. If you know anyone who might be interested in doing that, please have them get in touch if they need help. -- Viktor. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
On Sat, 16 Nov 2024 21:38:46 -0500, Bill Cole via mailop wrote: >On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600) >Michael Rathbun via mailop >is rumored to have said: > >> I confess to being completely mystified. What is the nature of these >> TLS reports, and where do they come from? > >Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. >Intimately related to MTA-STS, RFC8461. > >It can also be used with DANE, but I don't know of anyone doing so. As long as I don't have to deal with any stinking latest version cover sheets. mdr -- We are all temps. -- Daisy Adair ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
Btw. If MTA-STS fails one won't get any report from MS at all (google is sending them in disregard to your MTA-STS policy). So one has to fix the MTA-STS problem first to see the failed connections from MS. I'd say, that is kind of useless because I get the reports when the problems are solved. Regards Norbert -Ursprüngliche Nachricht- Von: mailop Im Auftrag von Mechiel Lukkien via mailop Gesendet: Sonntag, 17. November 2024 22:42 An: mailop@mailop.org Betreff: Re: [mailop] SMTP TLS Reports for forged senders. > Microsoft is sending TLS reports reporting DANE and MTA-STS connections. > They seem to test and report both of 'em so the count is more or less > doubled. If you get 10 connections they report 20 connections (10 for MTA-STS > and 10 for DANE). TLS reporting is about the policies found, and how many connections were (un)successful against them. If you verify both DANE and MTA-STS, you will find both policies and you'll have two verification results for each connection. So I wouldn't say they are reporting the connections twice. I recently received "validation failures" in TLS reports from Microsoft. The failures were only counting towards the MTA-STS policy, not towards the DANE policy, even though the problem appears to be with a TLS stack incompatibility (with the Go TLS stack). TLS reporting is about MTA-STS and/or DANE verification. So other kinds of TLS errors will probably be reported differently based on implementations (and possibly with not-quite-correct failure codes). Another quirk, the Microsoft DANE TLS reporting implementation seems to double-JSON-encode the TLSA records. Example with two TLSA records: "policy": { "policy-type": "tlsa", "policy-string": [ "[\"3 1 1 5C046FF012891B5F0D6176024C5C25FF486A7C12B8000FDF8B418AB3ECF6D309\",\"3 1 1 CEC87FB33D2A7499CA78E824E59B77531AC1FDEC7378FC81FCE7E5D213A364AB\"]" ], "policy-domain": "ueber.net" }, Cheers, Mechiel ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop smime.p7s Description: S/MIME cryptographic signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
On Sun, 17 Nov 2024, Viktor Dukhovni via mailop wrote: On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote: Some of our domains receive TLS reports for connections their mx's didn't make on behalf of any user of such a domain. This makes no sense, because unlike DMARC reports which are sent by receiving (server) systems, TLS reports are sent by sending (client) systems to the domains whose MX hosts had trouble with TLS. So when you receive a TLS report, it is never about mail your MX hosts sent, rather it is about mail others tried to send to you. Are such reports usually only sent for DMARC-aligned senders or even for forged senders to the actual MX? As we get DMARC reports from the same receivers, that show forged senders, I believe they are sent for forged senders as well. TLS reports (RFC 8460) have nothing to do with DMARC. If you publish conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE) DNS records, you may get reports from *senders* about their issues with establishing a (verified) TLS connection to your system. I have _smtp._tls.aitchison.me.uk. DANE and nothing for my mxhost or MTA_STS. Would that be why I receive (success) reports from GMail and Stalwart Labs but no-one else ? There is active work on TLSRPT support in Postfix, if this sees non-trivial adoption, the volume of reports go up a bit. Thanks. I'm thinking about adding these reports to/for Exim. Is https://www.postfix.org/TLSRPT_README.html a good plce to start ? Since much of the work is done daily, maybe it doesn't happen in the MTA itself; is there is potential to share some parts ? Thanks, -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
* Bill Cole via mailop : > On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600) > Michael Rathbun via mailop > is rumored to have said: > > > I confess to being completely mystified. What is the nature of these TLS > > reports, and where do they come from? > > Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. Intimately > related to MTA-STS, RFC8461. > > It can also be used with DANE, but I don't know of anyone doing so. This will likely change in the near future. The upcoming, yearly Postfix release will implement TLSRPT (see: https://postfix.org/TLSRPT_README.html) and I expect many Postfix based platforms to adopt this standard and start sending out TLSRPT reports. TLSRPT support is the result of a collaboration between Wietse Venema (postfix) and us (sys4). We want to foster TLSRPT and to make it happen we decided to contribute a generic low-level TLSRPT client library and a report generator. Both projects' code is located at https://github.com/sys4/tlsrpt/. NOTE: The client library is ready to use. The report generator is still work in progress and on time to be released when the new Postfix version hits the road around February 2025. If you want to test it, please test it and please report issues if you experience problems. Both, client library and report generator, are GPL3. We hope other OSS SMTP projects will adopt the TLSRPT client library to implement TLSRPT as well. Monitoring your own platform for TLS related issues is fine, but it doesn't give you a picture how partners and other sending parties experience your mail system when they connect to it. This is where TLSRPT comes in. It's reports will allow you to detect if your world-wide inbound TLS-encrypted SMTP communication meets your security policies. p@rick P.S. As a side-effect the upcoming Postfix release, assisted by another third party tool, will also support MTA-STS. P.P.S. Others may call it collateral damage and not side-effect. But who am I to tell. I'm biased. Along with Victor I'm team "DANE". ;-) -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
Just realized you were talking about the tls reporting policy itself. Ignore me :) Groetjes, Louis Op zondag 17 november 2024 om 15:18, schreef Louis : > I assume you made a typo, but for the sake of clarity: mta-sts needs a TXT > record at _mta-sts. and an http server serving the policy at > https://mta-sts [https://mta-sts/]./.well-known/mta-sts.txt. It has > nothing to do with _smtp._tls.. > > > > Groetjes, > Louis > > > Op zondag 17 november 2024 om 04:19, schreef Viktor Dukhovni via mailop > : > > > On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote: > > > > > Some of our domains receive TLS reports for connections their mx's > > > didn't make on behalf of any user of such a domain. > > > > This makes no sense, because unlike DMARC reports which are sent by > > receiving (server) systems, TLS reports are sent by sending (client) > > systems to the domains whose MX hosts had trouble with TLS. > > > > So when you receive a TLS report, it is never about mail your MX hosts > > sent, rather it is about mail others tried to send to you. > > > > > Are such reports usually only sent for DMARC-aligned senders or even > > > for forged senders to the actual MX? As we get DMARC reports from the > > > same receivers, that show forged senders, I believe they are sent for > > > forged senders as well. > > > > TLS reports (RFC 8460) have nothing to do with DMARC. If you publish > > conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE) > > DNS records, you may get reports from *senders* about their issues with > > establishing a (verified) TLS connection to your system. > > > > There is active work on TLSRPT support in Postfix, if this sees > > non-trivial adoption, the volume of reports go up a bit. > > > > -- > > Viktor. > > ___ > > mailop mailing list > > mailop@mailop.org [mailop@mailop.org] > > https://list.mailop.org/listinfo/mailop > > [https://list.mailop.org/listinfo/mailop]___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
I assume you made a typo, but for the sake of clarity: mta-sts needs a TXT record at _mta-sts. and an http server serving the policy at https://mta-sts./.well-known/mta-sts.txt. It has nothing to do with _smtp._tls.. Groetjes, Louis Op zondag 17 november 2024 om 04:19, schreef Viktor Dukhovni via mailop : > On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote: > > > Some of our domains receive TLS reports for connections their mx's > > didn't make on behalf of any user of such a domain. > > This makes no sense, because unlike DMARC reports which are sent by > receiving (server) systems, TLS reports are sent by sending (client) > systems to the domains whose MX hosts had trouble with TLS. > > So when you receive a TLS report, it is never about mail your MX hosts > sent, rather it is about mail others tried to send to you. > > > Are such reports usually only sent for DMARC-aligned senders or even > > for forged senders to the actual MX? As we get DMARC reports from the > > same receivers, that show forged senders, I believe they are sent for > > forged senders as well. > > TLS reports (RFC 8460) have nothing to do with DMARC. If you publish > conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE) > DNS records, you may get reports from *senders* about their issues with > establishing a (verified) TLS connection to your system. > > There is active work on TLSRPT support in Postfix, if this sees > non-trivial adoption, the volume of reports go up a bit. > > -- > Viktor. > ___ > mailop mailing list > mailop@mailop.org [mailop@mailop.org] > https://list.mailop.org/listinfo/mailop > [https://list.mailop.org/listinfo/mailop]___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
Hi all, Microsoft is sending TLS reports reporting DANE and MTA-STS connections. They seem to test and report both of 'em so the count is more or less doubled. If you get 10 connections they report 20 connections (10 for MTA-STS and 10 for DANE). Regards Norbert Von: mailop Im Auftrag von Bill Cole via mailop Gesendet: Sonntag, 17. November 2024 03:39 An: Michael Rathbun via mailop Betreff: Re: [mailop] SMTP TLS Reports for forged senders. On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600) Michael Rathbun via mailop <mailto:m...@honet.com> is rumored to have said: I confess to being completely mystified. What is the nature of these TLS reports, and where do they come from? Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. Intimately related to MTA-STS, RFC8461. It can also be used with DANE, but I don't know of anyone doing so. mailto:b...@scconsult.com or mailto:billc...@apache.org (AKA @grumpybozo@toad.social and many mailto:*@billmail.scconsult.com addresses) Not Currently Available For Hire smime.p7s Description: S/MIME cryptographic signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote: > Some of our domains receive TLS reports for connections their mx's > didn't make on behalf of any user of such a domain. This makes no sense, because unlike DMARC reports which are sent by receiving (server) systems, TLS reports are sent by sending (client) systems to the domains whose MX hosts had trouble with TLS. So when you receive a TLS report, it is never about mail your MX hosts sent, rather it is about mail others tried to send to you. > Are such reports usually only sent for DMARC-aligned senders or even > for forged senders to the actual MX? As we get DMARC reports from the > same receivers, that show forged senders, I believe they are sent for > forged senders as well. TLS reports (RFC 8460) have nothing to do with DMARC. If you publish conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE) DNS records, you may get reports from *senders* about their issues with establishing a (verified) TLS connection to your system. There is active work on TLSRPT support in Postfix, if this sees non-trivial adoption, the volume of reports go up a bit. -- Viktor. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600) Michael Rathbun via mailop is rumored to have said: I confess to being completely mystified. What is the nature of these TLS reports, and where do they come from? Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. Intimately related to MTA-STS, RFC8461. It can also be used with DANE, but I don't know of anyone doing so. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP TLS Reports for forged senders.
On Sun, 17 Nov 2024 01:30:24 +0100 (GMT+01:00), Olga Fischer via mailop wrote: >Some of our domains receive TLS reports for connections their mx's didn't make >on behalf of any user of such a domain. I confess to being completely mystified. What is the nature of these TLS reports, and where do they come from? mdr -- Sometimes half-ass is exactly the right amount of ass. -- Wonderella ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop