Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-22 Thread Olga Fischer via mailop
Thanks

Of course, that makes sense. I mixed that up because there are so few even 
sending reports. As of yet there were no negative ones incoming ever.
So someone else is attempting to TLS connect us and reports about that.

Because from the same report sender comes a dmarc report in the same time 
vicinity of the tls report, that someone else not on the spf list is sending 
mail on our behalf.

Then that tls report is just related to the tls connection of  them sending 
their dmarc report.

Holy fiddly backscatter batman.

I am not convinced if I like this reporting stuff.
But it is kind of the only reasonable complement to dns based tags on tls 
availability I could think of either.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Viktor Dukhovni via mailop
On Sun, Nov 17, 2024 at 10:09:59PM +, Andrew C Aitchison via mailop wrote:

> > There is active work on TLSRPT support in Postfix, if this sees
> > non-trivial adoption, the volume of reports [may] go up a bit.
> 
> Thanks. I'm thinking about adding these reports to/for Exim.
> Is https://www.postfix.org/TLSRPT_README.html a good plce to start ?

Yes, but also reach out to Patrick Koetter, who chimed in on this
thread.  The folks at sys4.de are driving the project, with Wietse
doing the Postfix MTA integration, and sys4 developing the reporting
engine that receives the MTA connection status info and generates
reports as/when appropriate.

> Since much of the work is done daily, maybe it doesn't happen in the MTA
> itself; is there is potential to share some parts ?

If it is possible, and you're willing, to adopt the same status
notification format, sure sharing the back end might benefit both the
Postfix and Exim communities.

Exim is after all (IIRC) still using my dated code for DANE cert
validation over OpenSSL.  Though with OpenSSL 1.0.2 long in the
rear-view mirror, this might also be a good time to switch to the native
OpenSSL DANE support.  If you know anyone who might be interested in
doing that, please have them get in touch if they need help.

-- 
Viktor.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Michael Rathbun via mailop
On Sat, 16 Nov 2024 21:38:46 -0500, Bill Cole via mailop 
wrote:

>On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600)
>Michael Rathbun via mailop 
>is rumored to have said:
>
>> I confess to being completely mystified.  What is the nature of these 
>> TLS reports, and where do they come from?
>
>Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. 
>Intimately related to MTA-STS, RFC8461.
>
>It can also be used with DANE, but I don't know of anyone doing so.

As long as I don't have to deal with any stinking latest version cover sheets.

mdr
-- 
   We are all temps.
  -- Daisy Adair

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Fehlauer, Norbert via mailop
Btw. If MTA-STS fails one won't get any report from MS at all (google is 
sending them in disregard to your MTA-STS policy). So one has to fix the 
MTA-STS problem first to see the failed connections from MS. I'd say, that is 
kind of useless because I get the reports when the problems are solved.

Regards
Norbert

-Ursprüngliche Nachricht-
Von: mailop  Im Auftrag von Mechiel Lukkien via 
mailop
Gesendet: Sonntag, 17. November 2024 22:42
An: mailop@mailop.org
Betreff: Re: [mailop] SMTP TLS Reports for forged senders.

> Microsoft is sending TLS reports reporting DANE and MTA-STS connections.
> They seem to test and report both of 'em so the count is more or less 
> doubled. If you get 10 connections they report 20 connections (10 for MTA-STS 
> and 10 for DANE).

TLS reporting is about the policies found, and how many connections were
(un)successful against them. If you verify both DANE and MTA-STS, you will
find both policies and you'll have two verification results for each
connection. So I wouldn't say they are reporting the connections twice.

I recently received "validation failures" in TLS reports from Microsoft. The
failures were only counting towards the MTA-STS policy, not towards the DANE
policy, even though the problem appears to be with a TLS stack
incompatibility (with the Go TLS stack). TLS reporting is about MTA-STS and/or
DANE verification. So other kinds of TLS errors will probably be reported

differently based on implementations (and possibly with not-quite-correct
failure codes).
Another quirk, the Microsoft DANE TLS reporting implementation seems to
double-JSON-encode the TLSA records. Example with two TLSA records:

"policy": {
"policy-type": "tlsa",
"policy-string": [
"[\"3 1 1 
5C046FF012891B5F0D6176024C5C25FF486A7C12B8000FDF8B418AB3ECF6D309\",\"3 1 1 
CEC87FB33D2A7499CA78E824E59B77531AC1FDEC7378FC81FCE7E5D213A364AB\"]"
],
"policy-domain": "ueber.net"
},

Cheers,
Mechiel
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


smime.p7s
Description: S/MIME cryptographic signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Andrew C Aitchison via mailop

On Sun, 17 Nov 2024, Viktor Dukhovni via mailop wrote:


On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote:


Some of our domains receive TLS reports for connections their mx's
didn't make on behalf of any user of such a domain.


This makes no sense, because unlike DMARC reports which are sent by
receiving (server) systems, TLS reports are sent by sending (client)
systems to the domains whose MX hosts had trouble with TLS.

So when you receive a TLS report, it is never about mail your MX hosts
sent, rather it is about mail others tried to send to you.


Are such reports usually only sent for DMARC-aligned senders or even
for forged senders to the actual MX?  As we get DMARC reports from the
same receivers, that show forged senders, I believe they are sent for
forged senders as well.


TLS reports (RFC 8460) have nothing to do with DMARC.  If you publish
conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE)
DNS records, you may get reports from *senders* about their issues with
establishing a (verified) TLS connection to your system.


I have  _smtp._tls.aitchison.me.uk. DANE and nothing for my mxhost or 
MTA_STS. Would that be why I receive (success) reports from GMail

and Stalwart Labs but no-one else ?


There is active work on TLSRPT support in Postfix, if this sees
non-trivial adoption, the volume of reports go up a bit.


Thanks. I'm thinking about adding these reports to/for Exim.
Is https://www.postfix.org/TLSRPT_README.html a good plce to start ?

Since much of the work is done daily, maybe it doesn't happen 
in the MTA itself; is there is potential to share some parts ?


Thanks,

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Patrick Ben Koetter via mailop
* Bill Cole via mailop :
> On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600)
> Michael Rathbun via mailop 
> is rumored to have said:
> 
> > I confess to being completely mystified.  What is the nature of these TLS
> > reports, and where do they come from?
> 
> Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. Intimately
> related to MTA-STS, RFC8461.
> 
> It can also be used with DANE, but I don't know of anyone doing so.

This will likely change in the near future. The upcoming, yearly Postfix
release will implement TLSRPT (see: https://postfix.org/TLSRPT_README.html)
and I expect many Postfix based platforms to adopt this standard and start
sending out TLSRPT reports.

TLSRPT support is the result of a collaboration between Wietse Venema
(postfix) and us (sys4). We want to foster TLSRPT and to make it happen we
decided to contribute a generic low-level TLSRPT client library and a report
generator. Both projects' code is located at https://github.com/sys4/tlsrpt/.

NOTE: The client library is ready to use. The report generator is still
work in progress and on time to be released when the new Postfix version
hits the road around February 2025. If you want to test it, please test it
and please report issues if you experience problems.

Both, client library and report generator, are GPL3. We hope other OSS SMTP
projects will adopt the TLSRPT client library to implement TLSRPT as well.

Monitoring your own platform for TLS related issues is fine, but it doesn't
give you a picture how partners and other sending parties experience your mail
system when they connect to it. This is where TLSRPT comes in. It's reports
will allow you to detect if your world-wide inbound TLS-encrypted SMTP
communication meets your security policies.

p@rick


P.S.
As a side-effect the upcoming Postfix release, assisted by another third party
tool, will also support MTA-STS.

P.P.S.
Others may call it collateral damage and not side-effect. But who am I to tell.
I'm biased. Along with Victor I'm team "DANE". ;-)

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Louis via mailop
Just realized you were talking about the tls reporting policy itself. Ignore me
:)



Groetjes,
Louis


Op zondag 17 november 2024 om 15:18, schreef Louis :

> I assume you made a typo, but for the sake of clarity: mta-sts needs a TXT
> record at _mta-sts. and an http server serving the policy at
> https://mta-sts [https://mta-sts/]./.well-known/mta-sts.txt. It has
> nothing to do with _smtp._tls..
> 
> 
> 
> Groetjes,
> Louis
> 
> 
> Op zondag 17 november 2024 om 04:19, schreef Viktor Dukhovni via mailop
> :
> 
> > On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote:
> > 
> > > Some of our domains receive TLS reports for connections their mx's
> > > didn't make on behalf of any user of such a domain.
> > 
> > This makes no sense, because unlike DMARC reports which are sent by
> > receiving (server) systems, TLS reports are sent by sending (client)
> > systems to the domains whose MX hosts had trouble with TLS.
> > 
> > So when you receive a TLS report, it is never about mail your MX hosts
> > sent, rather it is about mail others tried to send to you.
> > 
> > > Are such reports usually only sent for DMARC-aligned senders or even
> > > for forged senders to the actual MX? As we get DMARC reports from the
> > > same receivers, that show forged senders, I believe they are sent for
> > > forged senders as well.
> > 
> > TLS reports (RFC 8460) have nothing to do with DMARC. If you publish
> > conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE)
> > DNS records, you may get reports from *senders* about their issues with
> > establishing a (verified) TLS connection to your system.
> > 
> > There is active work on TLSRPT support in Postfix, if this sees
> > non-trivial adoption, the volume of reports go up a bit.
> > 
> > --
> > Viktor.
> > ___
> > mailop mailing list
> > mailop@mailop.org [mailop@mailop.org]
> > https://list.mailop.org/listinfo/mailop
> > [https://list.mailop.org/listinfo/mailop]___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Louis via mailop
I assume you made a typo, but for the sake of clarity: mta-sts needs a TXT
record at _mta-sts. and an http server serving the policy at
https://mta-sts./.well-known/mta-sts.txt. It has nothing to do with
_smtp._tls..



Groetjes,
Louis


Op zondag 17 november 2024 om 04:19, schreef Viktor Dukhovni via mailop
:

> On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote:
> 
> > Some of our domains receive TLS reports for connections their mx's
> > didn't make on behalf of any user of such a domain.
> 
> This makes no sense, because unlike DMARC reports which are sent by
> receiving (server) systems, TLS reports are sent by sending (client)
> systems to the domains whose MX hosts had trouble with TLS.
> 
> So when you receive a TLS report, it is never about mail your MX hosts
> sent, rather it is about mail others tried to send to you.
> 
> > Are such reports usually only sent for DMARC-aligned senders or even
> > for forged senders to the actual MX? As we get DMARC reports from the
> > same receivers, that show forged senders, I believe they are sent for
> > forged senders as well.
> 
> TLS reports (RFC 8460) have nothing to do with DMARC. If you publish
> conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE)
> DNS records, you may get reports from *senders* about their issues with
> establishing a (verified) TLS connection to your system.
> 
> There is active work on TLSRPT support in Postfix, if this sees
> non-trivial adoption, the volume of reports go up a bit.
> 
> --
> Viktor.
> ___
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-17 Thread Fehlauer, Norbert via mailop
Hi all,

Microsoft is sending TLS reports reporting DANE and MTA-STS connections.
They seem to test and report both of 'em so the count is more or less doubled. 
If you get 10 connections they report 20 connections (10 for MTA-STS and 10 for 
DANE).

Regards
Norbert


Von: mailop  Im Auftrag von Bill Cole via mailop
Gesendet: Sonntag, 17. November 2024 03:39
An: Michael Rathbun via mailop 
Betreff: Re: [mailop] SMTP TLS Reports for forged senders.

On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600) 
Michael Rathbun via mailop <mailto:m...@honet.com> 
is rumored to have said:
I confess to being completely mystified. What is the nature of these TLS 
reports, and where do they come from?
Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. Intimately 
related to MTA-STS, RFC8461.
It can also be used with DANE, but I don't know of anyone doing so.


   mailto:b...@scconsult.com or mailto:billc...@apache.org
   (AKA @grumpybozo@toad.social and many mailto:*@billmail.scconsult.com 
addresses)
   Not Currently Available For Hire


smime.p7s
Description: S/MIME cryptographic signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-16 Thread Viktor Dukhovni via mailop
On Sun, Nov 17, 2024 at 01:30:24AM +0100, Olga Fischer via mailop wrote:

> Some of our domains receive TLS reports for connections their mx's
> didn't make on behalf of any user of such a domain.

This makes no sense, because unlike DMARC reports which are sent by
receiving (server) systems, TLS reports are sent by sending (client)
systems to the domains whose MX hosts had trouble with TLS.

So when you receive a TLS report, it is never about mail your MX hosts
sent, rather it is about mail others tried to send to you.

> Are such reports usually only sent for DMARC-aligned senders or even
> for forged senders to the actual MX?  As we get DMARC reports from the
> same receivers, that show forged senders, I believe they are sent for
> forged senders as well.

TLS reports (RFC 8460) have nothing to do with DMARC.  If you publish
conformant _smtp._tls.. (MTA-STS) or _smtp._tls.. (DANE)
DNS records, you may get reports from *senders* about their issues with
establishing a (verified) TLS connection to your system.

There is active work on TLSRPT support in Postfix, if this sees
non-trivial adoption, the volume of reports go up a bit.

-- 
Viktor.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-16 Thread Bill Cole via mailop

On 2024-11-16 at 19:55:52 UTC-0500 (Sat, 16 Nov 2024 18:55:52 -0600)
Michael Rathbun via mailop 
is rumored to have said:

I confess to being completely mystified.  What is the nature of these 
TLS

reports, and where do they come from?


Presumably RFC8460 https://datatracker.ietf.org/doc/html/rfc8460. 
Intimately related to MTA-STS, RFC8461.


It can also be used with DANE, but I don't know of anyone doing so.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] SMTP TLS Reports for forged senders.

2024-11-16 Thread Michael Rathbun via mailop
On Sun, 17 Nov 2024 01:30:24 +0100 (GMT+01:00), Olga Fischer via mailop
 wrote:

>Some of our domains receive TLS reports for connections their mx's didn't make 
>on behalf of any user of such a domain.

I confess to being completely mystified.  What is the nature of these TLS
reports, and where do they come from?

mdr

-- 
   Sometimes half-ass is exactly the right amount of ass.
   -- Wonderella

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop