Maybe my solution should be combined with STS? The way I see it my solution should be the default way of signalling.
If the MX hosts ends with the same domain (i.e. Self Hosted) and starts with "26pref", then it's already safe from downgrade attacks. Since the email address domain matches MX host, domain certificate is safe too. If the MX hosts ends with different domain (i.e. Third-Party hosted) or Self-Hosted MX records doesn't start with "26pref", that means it's vulnerable to MITM attacks. As Alice mentioned we need 2FA in this case. Website owners can opt-in for STS. And clients should check mta-sts.txt file existence before transferring the mail. The advantage of my solution is that, it brings the "Implicit TLS" into SMTP via a dedicated port. So offers "better security" than STARTTLS. When both domains and clients opt-in for STS, it offers "ultimate security". STS believes STARTTLS should be used everywhere. So it asks domains and clients to opt-in for STARTTLS. My solution believes SMTPS should be used everywhere. If your MX host is not self-hosted and doesn't start with "26pref", then it considers those records are vulnerable to MITM attacks. So security is the default here. Abnormal records are non-secure. Thus requires 2FA via STS. Let me know your thoughts. On Sun, Jan 6, 2019 at 11:43 AM Alice Wonder <[email protected]> wrote: > On 1/5/19 9:58 PM, Viruthagiri Thirumavalavan wrote: > > Requiring TLS is pointless if the MX record is not secure. > > > > > > Alice, > > > > If the DNS is not secure, then that's a completely different issue. It > > should be fixed in the DNS rather than SMTP. And that's the reason > > DNSSEC was introduced, right?. > > That's why I use DNSSEC. > > But MTA-STS provides a way to leverage PKI to secure the MX record when > DNSSEC validation is not available. That can be either because the > receiving domain is not protected by DNSSEC or because the sending MTA > is not able to validate DNSSEC. > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta > -- Best Regards, Viruthagiri Thirumavalavan Dombox, Inc.
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
