On Thu, Jan 12, 2017 at 09:48:59AM -0800, Jim Fenton wrote:
> I'm working on the revision of the REQUIRETLS draft, and ran into a
> situation with "MAYTLS" that I'm not sure how to resolve.
[ Thanks for moving forward with this work! ]
> In the case of REQUIRETLS, it makes sense to make sure that the SMTP
> server to which the message is being sent supports REQUIRETLS, because
> otherwise the REQUIRETLS characteristics of the message will be lost and
> the message may be sent in the clear on a subsequent hop.
Yes.
> But with MAYTLS (or what I'm thinking of as REQUIRETLS=NO, since it's
> asking that TLS not be required), there are two ways to handle this:
>
> 1. Go ahead and send message to an SMTP server not supporting the
> extension. But then the sender's request to send regardless of DANE or
> STS policy gets lost on subsequent hops. If the need was only to do this
> for a single hop, the SMTP client can just ignore the DANE or STS policy
> and wouldn't need the extension at all.
Yes. Send regardless. The signal is a best-effort signal.
Since the MAYTLS feature is intended to facilitate delivery over
security, mail needs to be delivered whether the feature is supported
or not. So in some cases the signal may not get through all the
requisite hops, but typically it only needs to get as far as the
border MTA of the sender's organization. The MSA may not be that
border MTA.
Another approach is to define a new message header that requests
a delivery despite apparent security downgrade. Such a signal
would tunnel through MTAs that are oblivious to the signal.
> 2. Make sure that the server supports the extension, but then the
> message will be more likely to be blocked/bounced, which is the opposite
> of the sender's intent (this is for urgent, non-sensitive messages).
So no this.
> In other words, MAYTLS is very fragile unless onward support is
> confirmed and doing so is likely to run counter to the sender's request.
>
> Thoughts?
I think that best-effort support is sufficient. Sites that support
DANE or STS are early adopters with comparatively new MTAs, and
are also more likely to also have MAYTLS support (once that's
implemented in the most recent versions of popular MTAs).
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
