1
2
3
4
5
6
7Internet Engineering Task Force (IETF) K. Moore
8Request for Comments: 8314 Windrock, Inc.
9Updates: 1939, 2595, 3501, 5068, 6186, 6409 C. Newman
10Category: Standards Track Oracle
11ISSN: 2070-1721 January 2018
12
13
14 Cleartext Considered Obsolete: Use of Transport Layer Security (TLS)
15 for Email Submission and Access
16
17Abstract
18
19 This specification outlines current recommendations for the use of
20 Transport Layer Security (TLS) to provide confidentiality of email
21 traffic between a Mail User Agent (MUA) and a Mail Submission Server
22 or Mail Access Server. This document updates RFCs 1939, 2595, 3501,
23 5068, 6186, and 6409.
24
25Status of This Memo
26
27 This is an Internet Standards Track document.
28
29 This document is a product of the Internet Engineering Task Force
30 (IETF). It represents the consensus of the IETF community. It has
31 received public review and has been approved for publication by the
32 Internet Engineering Steering Group (IESG). Further information on
33 Internet Standards is available in Section 2 of RFC 7841.
34
35 Information about the current status of this document, any errata,
36 and how to provide feedback on it may be obtained at
37 https://www.rfc-editor.org/info/rfc8314.
38
39Copyright Notice
40
41 Copyright (c) 2018 IETF Trust and the persons identified as the
42 document authors. All rights reserved.
43
44 This document is subject to BCP 78 and the IETF Trust's Legal
45 Provisions Relating to IETF Documents
46 (https://trustee.ietf.org/license-info) in effect on the date of
47 publication of this document. Please review these documents
48 carefully, as they describe your rights and restrictions with respect
49 to this document. Code Components extracted from this document must
50 include Simplified BSD License text as described in Section 4.e of
51 the Trust Legal Provisions and are provided without warranty as
52 described in the Simplified BSD License.
53
54
55
56
57
58Moore & Newman Standards Track [Page 1]
59
60RFC 8314 Use of TLS for Email Submission/Access January 2018
61
62
63Table of Contents
64
65 1. Introduction ....................................................3
66 1.1. How This Document Updates Previous RFCs ....................3
67 2. Conventions and Terminology Used in This Document ...............4
68 3. Implicit TLS ....................................................5
69 3.1. Implicit TLS for POP .......................................5
70 3.2. Implicit TLS for IMAP ......................................5
71 3.3. Implicit TLS for SMTP Submission ...........................6
72 3.4. Implicit TLS Connection Closure for POP, IMAP, and
73 SMTP Submission ............................................7
74 4. Use of TLS by Mail Access Servers and Message Submission
75 Servers .........................................................7
76 4.1. Deprecation of Services Using Cleartext and TLS Versions
77 Less Than 1.1 ..............................................8
78 4.2. Mail Server Use of Client Certificate Authentication .......9
79 4.3. Recording TLS Ciphersuite in "Received" Header Field .......9
80 4.4. TLS Server Certificate Requirements .......................10
81 4.5. Recommended DNS Records for Mail Protocol Servers .........11
82 4.5.1. MX Records .........................................11
83 4.5.2. SRV Records ........................................11
84 4.5.3. DNSSEC .............................................11
85 4.5.4. TLSA Records .......................................11
86 4.6. Changes to Internet-Facing Servers ........................11
87 5. Use of TLS by Mail User Agents .................................12
88 5.1. Use of SRV Records in Establishing Configuration ..........13
89 5.2. Minimum Confidentiality Level .............................14
90 5.3. Certificate Validation ....................................15
91 5.4. Certificate Pinning .......................................15
92 5.5. Client Certificate Authentication .........................16
93 6. Considerations Related to Antivirus/Antispam Software
94 and Services ...................................................17
95 7. IANA Considerations ............................................17
96 7.1. POP3S Port Registration Update ............................17
97 7.2. IMAPS Port Registration Update ............................18
98 7.3. Submissions Port Registration .............................18
99 7.4. Additional Registered Clauses for "Received" Fields .......19
100 8. Security Considerations ........................................19
101 9. References .....................................................20
102 9.1. Normative References ......................................20
103 9.2. Informative References ....................................22
104 Appendix A. Design Considerations .................................24
105 Acknowledgements ..................................................26
106 Authors' Addresses ................................................26
107
108
109
110
111
112
113
114Moore & Newman Standards Track [Page 2]
115
116RFC 8314 Use of TLS for Email Submission/Access January 2018
117
118
1191. Introduction
120
121 Software that provides email service via the Internet Message Access
122 Protocol (IMAP) [RFC3501], the Post Office Protocol (POP) [RFC1939],
123 and/or Simple Mail Transfer Protocol (SMTP) Submission [RFC6409]
124 usually has Transport Layer Security (TLS) [RFC5246] support but
125 often does not use it in a way that maximizes end-user
126 confidentiality. This specification describes current
127 recommendations for the use of TLS in interactions between Mail User
128 Agents (MUAs) and Mail Access Servers, and also between MUAs and Mail
129 Submission Servers.
130
131 In brief, this memo now recommends that:
132
133 o TLS version 1.2 or greater be used for all traffic between MUAs
134 and Mail Submission Servers, and also between MUAs and Mail Access
135 Servers.
136
137 o MUAs and Mail Service Providers (MSPs) (a) discourage the use of
138 cleartext protocols for mail access and mail submission and
139 (b) deprecate the use of cleartext protocols for these purposes as
140 soon as practicable.
141
142 o Connections to Mail Submission Servers and Mail Access Servers be
143 made using "Implicit TLS" (as defined below), in preference to
144 connecting to the "cleartext" port and negotiating TLS using the
145 STARTTLS command or a similar command.
146
147 This memo does not address the use of TLS with SMTP for message relay
148 (where Message Submission [RFC6409] does not apply). Improving the
149 use of TLS with SMTP for message relay requires a different approach.
150 One approach to address that topic is described in [RFC7672]; another
151 is provided in [MTA-STS].
152
153 The recommendations in this memo do not replace the functionality of,
154 and are not intended as a substitute for, end-to-end encryption of
155 electronic mail.
156
1571.1. How This Document Updates Previous RFCs
158
159 This document updates POP (RFC 1939), IMAP (RFC 3501), and Submission
160 (RFC 6409, RFC 5068) in two ways:
161
162 1. By adding Implicit TLS ports as Standards Track ports for these
163 protocols as described in Section 3.
164
165 2. By updating TLS best practices that apply to these protocols as
166 described in Sections 4 and 5.
167
168
169
170Moore & Newman Standards Track [Page 3]
171
172RFC 8314 Use of TLS for Email Submission/Access January 2018
173
174
175 This document updates RFC 2595 by replacing Section 7 of RFC 2595
176 with the preference for Implicit TLS as described in Sections 1 and 3
177 of this document, as well as by updating TLS best practices that
178 apply to the protocols in RFC 2595 as described in Sections 4 and 5
179 of this document.
180
181 This document updates RFC 6186 as described herein, in Section 5.1.
182
1832. Conventions and Terminology Used in This Document
184
185 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
186 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
187 "OPTIONAL" in this document are to be interpreted as described in
188 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
189 capitals, as shown here.
190
191 The term "Implicit TLS" refers to the automatic negotiation of TLS
192 whenever a TCP connection is made on a particular TCP port that is
193 used exclusively by that server for TLS connections. The term
194 "Implicit TLS" is intended to contrast with the use of STARTTLS and
195 similar commands in POP, IMAP, SMTP Message Submission, and other
196 protocols, that are used by the client and the server to explicitly
197 negotiate TLS on an established cleartext TCP connection.
198
199 The term "Mail Access Server" refers to a server for POP, IMAP, and
200 any other protocol used to access or modify received messages, or to
201 access or modify a mail user's account configuration.
202
203 The term "Mail Submission Server" refers to a server for the protocol
204 specified in [RFC6409] (or one of its predecessors or successors) for
205 submission of outgoing messages for delivery to recipients.
206
207 The term "Mail Service Provider" (or "MSP") refers to an operator of
208 Mail Access Servers and/or Mail Submission Servers.
209
210 The term "Mail Account" refers to a user's identity with an MSP, that
211 user's authentication credentials, any user email that is stored by
212 the MSP, and any other per-user configuration information maintained
213 by the MSP (for example, instructions for filtering spam). Most MUAs
214 support the ability to access multiple Mail Accounts.
215
216 For each account that an MUA accesses on its user's behalf, it must
217 have the server names, ports, authentication credentials, and other
218 configuration information specified by the user. This information,
219 which is used by the MUA, is referred to as "Mail Account
220 Configuration".
221
222
223
224
225
226Moore & Newman Standards Track [Page 4]
227
228RFC 8314 Use of TLS for Email Submission/Access January 2018
229
230
231 This specification expresses syntax using the Augmented Backus-Naur
232 Form (ABNF) as described in [RFC5234], including the core rules
233 provided in Appendix B of [RFC5234] and the rules provided in
234 [RFC5322].
235
2363. Implicit TLS
237
238 Previous standards for the use of email protocols with TLS used the
239 STARTTLS mechanism: [RFC2595], [RFC3207], and [RFC3501]. With
240 STARTTLS, the client establishes a cleartext application session and
241 determines whether to issue a STARTTLS command based on server
242 capabilities and client configuration. If the client issues a
243 STARTTLS command, a TLS handshake follows that can upgrade the
244 connection. Although this mechanism has been deployed, an alternate
245 mechanism where TLS is negotiated immediately at connection start on
246 a separate port (referred to in this document as "Implicit TLS") has
247 been deployed more successfully. To encourage more widespread use of
248 TLS and to also encourage greater consistency regarding how TLS is
249 used, this specification now recommends the use of Implicit TLS for
250 POP, IMAP, SMTP Submission, and all other protocols used between an
251 MUA and an MSP.
252
2533.1. Implicit TLS for POP
254
255 When a TCP connection is established for the "pop3s" service (default
256 port 995), a TLS handshake begins immediately. Clients MUST
257 implement the certificate validation mechanism described in
258 [RFC7817]. Once the TLS session is established, POP3 [RFC1939]
259 protocol messages are exchanged as TLS application data for the
260 remainder of the TCP connection. After the server sends an +OK
261 greeting, the server and client MUST enter the AUTHORIZATION state,
262 even if a client certificate was supplied during the TLS handshake.
263
264 See Sections 5.5 and 4.2 for additional information on client
265 certificate authentication. See Section 7.1 for port registration
266 information.
267
2683.2. Implicit TLS for IMAP
269
270 When a TCP connection is established for the "imaps" service (default
271 port 993), a TLS handshake begins immediately. Clients MUST
272 implement the certificate validation mechanism described in
273 [RFC7817]. Once the TLS session is established, IMAP [RFC3501]
274 protocol messages are exchanged as TLS application data for the
275 remainder of the TCP connection. If a client certificate was
276 provided during the TLS handshake that the server finds acceptable,
277 the server MAY issue a PREAUTH greeting, in which case both the
278
279
280
281
282Moore & Newman Standards Track [Page 5]
283
284RFC 8314 Use of TLS for Email Submission/Access January 2018
285
286
287 server and the client enter the AUTHENTICATED state. If the server
288 issues an OK greeting, then both the server and the client enter the
289 NOT AUTHENTICATED state.
290
291 See Sections 5.5 and 4.2 for additional information on client
292 certificate authentication. See Section 7.2 for port registration
293 information.
294
2953.3. Implicit TLS for SMTP Submission
296
297 When a TCP connection is established for the "submissions" service
298 (default port 465), a TLS handshake begins immediately. Clients MUST
299 implement the certificate validation mechanism described in
300 [RFC7817]. Once the TLS session is established, Message Submission
301 protocol data [RFC6409] is exchanged as TLS application data for the
302 remainder of the TCP connection. (Note: The "submissions" service
303 name is defined in Section 7.3 of this document and follows the usual
304 convention that the name of a service layered on top of Implicit TLS
305 consists of the name of the service as used without TLS, with an "s"
306 appended.)
307
308 The STARTTLS mechanism on port 587 is relatively widely deployed due
309 to the situation with port 465 (discussed in Section 7.3). This
310 differs from IMAP and POP services where Implicit TLS is more widely
311 deployed on servers than STARTTLS. It is desirable to migrate core
312 protocols used by MUA software to Implicit TLS over time, for
313 consistency as well as for the additional reasons discussed in
314 Appendix A. However, to maximize the use of encryption for
315 submission, it is desirable to support both mechanisms for Message
316 Submission over TLS for a transition period of several years. As a
317 result, clients and servers SHOULD implement both STARTTLS on
318 port 587 and Implicit TLS on port 465 for this transition period.
319 Note that there is no significant difference between the security
320 properties of STARTTLS on port 587 and Implicit TLS on port 465 if
321 the implementations are correct and if both the client and the server
322 are configured to require successful negotiation of TLS prior to
323 Message Submission.
324
325 Note that the "submissions" port provides access to a Message
326 Submission Agent (MSA) as defined in [RFC6409], so requirements and
327 recommendations for MSAs in that document, including the requirement
328 to implement SMTP AUTH [RFC4954] and the requirements of Email
329 Submission Operations [RFC5068], also apply to the submissions port.
330
331 See Sections 5.5 and 4.2 for additional information on client
332 certificate authentication. See Section 7.3 for port registration
333 information.
334
335
336
337
338Moore & Newman Standards Track [Page 6]
339
340RFC 8314 Use of TLS for Email Submission/Access January 2018
341
342
3433.4. Implicit TLS Connection Closure for POP, IMAP, and SMTP Submission
344
345 When a client or server wishes to close the connection, it SHOULD
346 initiate the exchange of TLS close alerts before TCP connection
347 termination. The client MAY, after sending a TLS close alert,
348 gracefully close the TCP connection (e.g., call the close() function
349 on the TCP socket or otherwise issue a TCP CLOSE ([RFC793],
350 Section 3.5)) without waiting for a TLS response from the server.
351
3524. Use of TLS by Mail Access Servers and Message Submission Servers
353
354 The following requirements and recommendations apply to Mail Access
355 Servers and Mail Submission Servers, or, if indicated, to MSPs:
356
357 o MSPs that support POP, IMAP, and/or Message Submission MUST
358 support TLS access for those protocol servers.
359
360 o Servers provided by MSPs other than POP, IMAP, and/or Message
361 Submission SHOULD support TLS access and MUST support TLS access
362 for those servers that support authentication via username and
363 password.
364
365 o MSPs that support POP, IMAP, and/or Message Submission SHOULD
366 provide and support instances of those services that use Implicit
367 TLS. (See Section 3.)
368
369 o For compatibility with existing MUAs and existing MUA
370 configurations, MSPs SHOULD also, in the near term, provide
371 instances of these services that support STARTTLS. This will
372 permit legacy MUAs to discover new availability of TLS capability
373 on servers and may increase the use of TLS by such MUAs. However,
374 servers SHOULD NOT advertise STARTTLS if the use of the STARTTLS
375 command by a client is likely to fail (for example, if the server
376 has no server certificate configured).
377
378 o MSPs SHOULD advertise their Mail Access Servers and Mail
379 Submission Servers, using DNS SRV records according to [RFC6186].
380 (In addition to making correct configuration easier for MUAs, this
381 provides a way by which MUAs can discover when an MSP begins to
382 offer TLS-based services.) Servers supporting TLS SHOULD be
383 advertised in preference to cleartext servers (if offered). In
384 addition, servers using Implicit TLS SHOULD be advertised in
385 preference to servers supporting STARTTLS (if offered). (See also
386 Section 4.5.)
387
388 o MSPs SHOULD deprecate the use of cleartext Mail Access Servers and
389 Mail Submission Servers as soon as practicable. (See
390 Section 4.1.)
391
392
393
394Moore & Newman Standards Track [Page 7]
395
396RFC 8314 Use of TLS for Email Submission/Access January 2018
397
398
399 o MSPs currently supporting such use of cleartext SMTP (on port 25)
400 as a means of Message Submission by their users (whether or not
401 requiring authentication) SHOULD transition their users to using
402 TLS (either Implicit TLS or STARTTLS) as soon as practicable.
403
404 o Mail Access Servers and Mail Submission Servers MUST support
405 TLS 1.2 or later.
406
407 o All Mail Access Servers and Mail Submission Servers SHOULD
408 implement the recommended TLS ciphersuites described in [RFC7525]
409 or a future BCP or Standards Track revision of that document.
410
411 o As soon as practicable, MSPs currently supporting Secure Sockets
412 Layer (SSL) 2.x, SSL 3.0, or TLS 1.0 SHOULD transition their users
413 to TLS 1.1 or later and discontinue support for those earlier
414 versions of SSL and TLS.
415
416 o Mail Submission Servers accepting mail using TLS SHOULD include in
417 the Received field of the outgoing message the TLS ciphersuite of
418 the session in which the mail was received. (See Section 4.3.)
419
420 o All Mail Access Servers and Mail Submission Servers implementing
421 TLS SHOULD log TLS cipher information along with any connection or
422 authentication logs that they maintain.
423
424 Additional considerations and details appear below.
425
4264.1. Deprecation of Services Using Cleartext and TLS Versions
427 Less Than 1.1
428
429 The specific means employed for deprecation of cleartext Mail Access
430 Servers and Mail Submission Servers MAY vary from one MSP to the next
431 in light of their user communities' needs and constraints. For
432 example, an MSP MAY implement a gradual transition in which, over
433 time, more and more users are forbidden to authenticate to cleartext
434 instances of these servers, thus encouraging those users to migrate
435 to Implicit TLS. Access to cleartext servers should eventually be
436 either (a) disabled or (b) limited strictly for use by legacy systems
437 that cannot be upgraded.
438
439 After a user's ability to authenticate to a server using cleartext is
440 revoked, the server denying such access MUST NOT provide any
441 indication over a cleartext channel of whether the user's
442 authentication credentials were valid. An attempt to authenticate as
443 such a user using either invalid credentials or valid credentials
444 MUST both result in the same indication of access being denied.
445
446
447
448
449
450Moore & Newman Standards Track [Page 8]
451
452RFC 8314 Use of TLS for Email Submission/Access January 2018
453
454
455 Also, users previously authenticating with passwords sent as
456 cleartext SHOULD be required to change those passwords when migrating
457 to TLS, if the old passwords were likely to have been compromised.
458 (For any large community of users using the public Internet to access
459 mail without encryption, the compromise of at least some of those
460 passwords should be assumed.)
461
462 Transition of users from SSL or TLS 1.0 to later versions of TLS MAY
463 be accomplished by a means similar to that described above. There
464 are multiple ways to accomplish this. One way is for the server to
465 refuse a ClientHello message from any client sending a
466 ClientHello.version field corresponding to any version of SSL or
467 TLS 1.0. Another way is for the server to accept ClientHello
468 messages from some client versions that it does not wish to support
469 but later refuse to allow the user to authenticate. The latter
470 method may provide a better indication to the user of the reason for
471 the failure but (depending on the protocol and method of
472 authentication used) may also risk exposure of the user's password
473 over a channel that is known to not provide adequate confidentiality.
474
475 It is RECOMMENDED that new users be required to use TLS version 1.1
476 or greater from the start. However, an MSP may find it necessary to
477 make exceptions to accommodate some legacy systems that support only
478 earlier versions of TLS or only cleartext.
479
4804.2. Mail Server Use of Client Certificate Authentication
481
482 Mail Submission Servers and Mail Access Servers MAY implement client
483 certificate authentication on the Implicit TLS port. Such servers
484 MUST NOT request a client certificate during the TLS handshake unless
485 the server is configured to accept some client certificates as
486 sufficient for authentication and the server has the ability to
487 determine a mail server authorization identity matching such
488 certificates. How to make this determination is presently
489 implementation specific.
490
491 If the server accepts the client's certificate as sufficient for
492 authorization, it MUST enable the Simple Authentication and Security
493 Layer (SASL) EXTERNAL mechanism [RFC4422]. An IMAPS server MAY issue
494 a PREAUTH greeting instead of enabling SASL EXTERNAL.
495
4964.3. Recording TLS Ciphersuite in "Received" Header Field todo future: ../mox-/tlsrecv.go:13
497
498 The ESMTPS transmission type [RFC3848] provides trace information
499 that can indicate that TLS was used when transferring mail. However,
500 TLS usage by itself is not a guarantee of confidentiality or
501 security. The TLS ciphersuite provides additional information about
502 the level of security made available for a connection. This section
503
504
505
506Moore & Newman Standards Track [Page 9]
507
508RFC 8314 Use of TLS for Email Submission/Access January 2018
509
510
511 defines a new SMTP "tls" Received header additional-registered-clause
512 that is used to record the TLS ciphersuite that was negotiated for
513 the connection. This clause SHOULD be included whenever a Submission
514 server generates a Received header field for a message received via
515 TLS. The value included in this additional clause SHOULD be the
516 registered ciphersuite name (e.g.,
517 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) included in the "TLS Cipher
518 Suite Registry". In the event that the implementation does not know
519 the name of the ciphersuite (a situation that should be remedied
520 promptly), a four-digit hexadecimal ciphersuite identifier MAY be
521 used. In addition, the Diffie-Hellman group name associated with the
522 ciphersuite MAY be included (when applicable and known) following the
523 ciphersuite name. The ABNF for the field follows:
524
525 tls-cipher-clause = CFWS "tls" FWS tls-cipher
526 [ CFWS tls-dh-group-clause ]
527
528 tls-cipher = tls-cipher-name / tls-cipher-hex
529
530 tls-cipher-name = ALPHA *(ALPHA / DIGIT / "_")
531 ; as registered in the IANA "TLS Cipher Suite Registry"
532 ; <https://www.iana.org/assignments/tls-parameters>
533
534 tls-cipher-hex = "0x" 4HEXDIG
535
536 tls-dh-group-clause = "group" FWS dh-group
537 ; not to be used except immediately after tls-cipher
538
539 dh-group = ALPHA *(ALPHA / DIGIT / "_" / "-")
540 ; as registered in the IANA "TLS Supported Groups Registry"
541 ; <https://www.iana.org/assignments/tls-parameters>
542
5434.4. TLS Server Certificate Requirements
544
545 MSPs MUST maintain valid server certificates for all servers. See
546 [RFC7817] for the recommendations and requirements necessary to
547 achieve this.
548
549 If a protocol server provides service for more than one mail domain,
550 it MAY use a separate IP address for each domain and/or a server
551 certificate that advertises multiple domains. This will generally be
552 necessary unless and until it is acceptable to impose the constraint
553 that the server and all clients support the Server Name Indication
554 (SNI) extension to TLS [RFC6066]. Mail servers supporting the SNI
555 need to support the post-SRV hostname to interoperate with MUAs that
556 have not implemented [RFC6186]. For more discussion of this problem,
557 see Section 5.1 of [RFC7817].
558
559
560
561
562Moore & Newman Standards Track [Page 10]
563
564RFC 8314 Use of TLS for Email Submission/Access January 2018
565
566
5674.5. Recommended DNS Records for Mail Protocol Servers
568
569 This section discusses not only the DNS records that are recommended
570 but also implications of DNS records for server configuration and TLS
571 server certificates.
572
5734.5.1. MX Records
574
575 It is recommended that MSPs advertise MX records for the handling of
576 inbound mail (instead of relying entirely on A or AAAA records) and
577 that those MX records be signed using DNSSEC [RFC4033]. This is
578 mentioned here only for completeness, as the handling of inbound mail
579 is out of scope for this document.
580
5814.5.2. SRV Records
582
583 MSPs SHOULD advertise SRV records to aid MUAs in determining the
584 proper configuration of servers, per the instructions in [RFC6186].
585
586 MSPs SHOULD advertise servers that support Implicit TLS in preference
587 to servers that support cleartext and/or STARTTLS operation.
588
5894.5.3. DNSSEC
590
591 All DNS records advertised by an MSP as a means of aiding clients in
592 communicating with the MSP's servers SHOULD be signed using DNSSEC if
593 and when the parent DNS zone supports doing so.
594
5954.5.4. TLSA Records
596
597 MSPs SHOULD advertise TLSA records to provide an additional trust
598 anchor for public keys used in TLS server certificates. However,
599 TLSA records MUST NOT be advertised unless they are signed using
600 DNSSEC.
601
6024.6. Changes to Internet-Facing Servers
603
604 When an MSP changes the Internet-facing Mail Access Servers and Mail
605 Submission Servers, including SMTP-based spam/virus filters, it is
606 generally necessary to support the same and/or a newer version of TLS
607 than the one previously used.
608
609
610
611
612
613
614
615
616
617
618Moore & Newman Standards Track [Page 11]
619
620RFC 8314 Use of TLS for Email Submission/Access January 2018
621
622
6235. Use of TLS by Mail User Agents
624
625 The following requirements and recommendations apply to MUAs:
626
627 o MUAs SHOULD be capable of using DNS SRV records to discover Mail
628 Access Servers and Mail Submission Servers that are advertised by
629 an MSP for an account being configured. Other means of
630 discovering server configuration information (e.g., a database
631 maintained by the MUA vendor) MAY also be supported. (See
632 Section 5.1 for more information.)
633
634 o MUAs SHOULD be configurable to require a minimum level of
635 confidentiality for any particular Mail Account and refuse to
636 exchange information via any service associated with that Mail
637 Account if the session does not provide that minimum level of
638 confidentiality. (See Section 5.2.)
639
640 o MUAs MUST NOT treat a session as meeting a minimum level of
641 confidentiality if the server's TLS certificate cannot be
642 validated. (See Section 5.3.)
643
644 o MUAs MAY impose other minimum confidentiality requirements in the
645 future, e.g., in order to discourage the use of TLS versions or
646 cryptographic algorithms in which weaknesses have been discovered.
647
648 o MUAs SHOULD provide a prominent indication of the level of
649 confidentiality associated with an account configuration that is
650 appropriate for the user interface (for example, a "lock" icon or
651 changed background color for a visual interface, or some sort of
652 audible indication for an audio user interface), at appropriate
653 times and/or locations, in order to inform the user of the
654 confidentiality of the communications associated with that
655 account. For example, this might be done whenever (a) the user is
656 prompted for authentication credentials, (b) the user is composing
657 mail that will be sent to a particular submission server, (c) a
658 list of accounts is displayed (particularly if the user can select
659 from that list to read mail), or (d) the user is asking to view or
660 update any configuration data that will be stored on a remote
661 server. If, however, an MUA provides such an indication, it
662 MUST NOT indicate confidentiality for any connection that does not
663 at least use TLS 1.1 with certificate verification and also meet
664 the minimum confidentiality requirements associated with that
665 account.
666
667 o MUAs MUST implement TLS 1.2 [RFC5246] or later. Earlier TLS and
668 SSL versions MAY also be supported, so long as the MUA requires at
669 least TLS 1.1 [RFC4346] when accessing accounts that are
670 configured to impose minimum confidentiality requirements.
671
672
673
674Moore & Newman Standards Track [Page 12]
675
676RFC 8314 Use of TLS for Email Submission/Access January 2018
677
678
679 o All MUAs SHOULD implement the recommended TLS ciphersuites
680 described in [RFC7525] or a future BCP or Standards Track revision
681 of that document.
682
683 o MUAs that are configured to not require minimum confidentiality
684 for one or more accounts SHOULD detect when TLS becomes available
685 on those accounts (using [RFC6186] or other means) and offer to
686 upgrade the account to require TLS.
687
688 Additional considerations and details appear below.
689
6905.1. Use of SRV Records in Establishing Configuration
691
692 This document updates [RFC6186] by changing the preference rules and 6186:133 ../mox-/admin.go:931
693 adding a new SRV service label _submissions._tcp to refer to Message
694 Submission with Implicit TLS.
695
696 User-configurable MUAs SHOULD support the use of [RFC6186] for
697 account setup. However, when using configuration information
698 obtained via this method, MUAs SHOULD ignore advertised services that
699 do not satisfy minimum confidentiality requirements, unless the user
700 has explicitly requested reduced confidentiality. This will have the
701 effect of causing the MUA to default to ignoring advertised
702 configurations that do not support TLS, even when those advertised
703 configurations have a higher priority than other advertised
704 configurations.
705
706 When using configuration information per [RFC6186], MUAs SHOULD NOT
707 automatically establish new configurations that do not require TLS
708 for all servers, unless there are no advertised configurations using
709 TLS. If such a configuration is chosen, prior to attempting to
710 authenticate to the server or use the server for Message Submission,
711 the MUA SHOULD warn the user that traffic to that server will not be
712 encrypted and that it will therefore likely be intercepted by
713 unauthorized parties. The specific wording is to be determined by
714 the implementation, but it should adequately capture the sense of
715 risk, given the widespread incidence of mass surveillance of email
716 traffic.
717
718 Similarly, an MUA MUST NOT attempt to "test" a particular Mail
719 Account configuration by submitting the user's authentication
720 credentials to a server, unless a TLS session meeting minimum
721 confidentiality levels has been established with that server. If
722 minimum confidentiality requirements have not been satisfied, the MUA
723 must explicitly warn that the user's password may be exposed to
724 attackers before testing the new configuration.
725
726
727
728
729
730Moore & Newman Standards Track [Page 13]
731
732RFC 8314 Use of TLS for Email Submission/Access January 2018
733
734
735 When establishing a new configuration for connecting to an IMAP, POP,
736 or SMTP submission server, based on SRV records, an MUA SHOULD verify
737 that either (a) the SRV records are signed using DNSSEC or (b) the
738 target Fully Qualified Domain Name (FQDN) of the SRV record matches
739 the original server FQDN for which the SRV queries were made. If the
740 target FQDN is not in the queried domain, the MUA SHOULD verify with
741 the user that the SRV target FQDN is suitable for use, before
742 executing any connections to the host. (See Section 6 of [RFC6186].)
743
744 An MUA MUST NOT consult SRV records to determine which servers to use
745 on every connection attempt, unless those SRV records are signed by
746 DNSSEC and have a valid signature. However, an MUA MAY consult SRV
747 records from time to time to determine if an MSP's server
748 configuration has changed and alert the user if it appears that this
749 has happened. This can also serve as a means to encourage users to
750 upgrade their configurations to require TLS if and when their MSPs
751 support it.
752
7535.2. Minimum Confidentiality Level
754
755 MUAs SHOULD, by default, require a minimum level of confidentiality
756 for services accessed by each account. For MUAs supporting the
757 ability to access multiple Mail Accounts, this requirement SHOULD be
758 configurable on a per-account basis.
759
760 The default minimum expected level of confidentiality for all new
761 accounts MUST require successful validation of the server's
762 certificate and SHOULD require negotiation of TLS version 1.1 or
763 greater. (Future revisions to this specification may raise these
764 requirements or impose additional requirements to address newly
765 discovered weaknesses in protocols or cryptographic algorithms.)
766
767 MUAs MAY permit the user to disable this minimum confidentiality
768 requirement during initial account configuration or when subsequently
769 editing an account configuration but MUST warn users that such a
770 configuration will not assure privacy for either passwords or
771 messages.
772
773 An MUA that is configured to require a minimum level of
774 confidentiality for a Mail Account MUST NOT attempt to perform any
775 operation other than capability discovery, or STARTTLS for servers
776 not using Implicit TLS, unless the minimum level of confidentiality
777 is provided by that connection.
778
779 MUAs SHOULD NOT allow users to easily access or send mail via a
780 connection, or authenticate to any service using a password, if that
781 account is configured to impose minimum confidentiality requirements
782 and that connection does not meet all of those requirements. An
783
784
785
786Moore & Newman Standards Track [Page 14]
787
788RFC 8314 Use of TLS for Email Submission/Access January 2018
789
790
791 example of "easy access" would be to display a dialog informing the
792 user that the security requirements of the account were not met by
793 the connection but allowing the user to "click through" to send mail
794 or access the service anyway. Experience indicates that users
795 presented with such an option often "click through" without
796 understanding the risks that they're accepting by doing so.
797 Furthermore, users who frequently find the need to "click through" to
798 use an insecure connection may become conditioned to do so as a
799 matter of habit, before considering whether the risks are reasonable
800 in each specific instance.
801
802 An MUA that is not configured to require a minimum level of
803 confidentiality for a Mail Account SHOULD still attempt to connect to
804 the services associated with that account using the most secure means
805 available, e.g., by using Implicit TLS or STARTTLS.
806
8075.3. Certificate Validation
808
809 MUAs MUST validate TLS server certificates according to [RFC7817] and
810 PKIX [RFC5280].
811
812 MUAs MAY also support DNS-Based Authentication of Named Entities
813 (DANE) [RFC6698] as a means of validating server certificates in
814 order to meet minimum confidentiality requirements.
815
816 MUAs MAY support the use of certificate pinning but MUST NOT consider
817 a connection in which the server's authenticity relies on certificate
818 pinning as providing the minimum level of confidentiality. (See
819 Section 5.4.)
820
8215.4. Certificate Pinning
822
823 During account setup, the MUA will identify servers that provide
824 account services such as mail access and mail submission (Section 5.1
825 describes one way to do this). The certificates for these servers
826 are verified using the rules described in [RFC7817] and PKIX
827 [RFC5280]. In the event that the certificate does not validate due
828 to an expired certificate, a lack of an appropriate chain of trust,
829 or a lack of an identifier match, the MUA MAY offer to create a
830 persistent binding between that certificate and the saved hostname
831 for the server, for use when accessing that account's servers. This
832 is called "certificate pinning".
833
834 (Note: This use of the term "certificate pinning" means something
835 subtly different than HTTP Public Key Pinning as described in
836 [RFC7469]. The dual use of the same term is confusing, but
837 unfortunately both uses are well established.)
838
839
840
841
842Moore & Newman Standards Track [Page 15]
843
844RFC 8314 Use of TLS for Email Submission/Access January 2018
845
846
847 Certificate pinning is only appropriate during Mail Account setup and
848 MUST NOT be offered as an option in response to a failed certificate
849 validation for an existing Mail Account. An MUA that allows
850 certificate pinning MUST NOT allow a certificate pinned for one
851 account to validate connections for other accounts. An MUA that
852 allows certificate pinning MUST also allow a user to undo the
853 pinning, i.e., to revoke trust in a certificate that has previously
854 been pinned.
855
856 A pinned certificate is subject to a man-in-the-middle attack at
857 account setup time and typically lacks a mechanism to automatically
858 revoke or securely refresh the certificate. Note also that a man-in-
859 the-middle attack at account setup time will expose the user's
860 password to the attacker (if a password is used). Therefore, the use
861 of a pinned certificate does not meet the requirement for a minimum
862 confidentiality level, and an MUA MUST NOT indicate to the user that
863 such confidentiality is provided. Additional advice on certificate
864 pinning is presented in [RFC6125].
865
8665.5. Client Certificate Authentication
867
868 MUAs MAY implement client certificate authentication on the Implicit
869 TLS port. An MUA MUST NOT provide a client certificate during the
870 TLS handshake unless the server requests one and the MUA has been
871 authorized to use that client certificate with that account. Having
872 the end user explicitly configure a client certificate for use with a
873 given account is sufficient to meet this requirement. However,
874 installing a client certificate for use with one account MUST NOT
875 automatically authorize the use of that certificate with other
876 accounts. This is not intended to prohibit site-specific
877 authorization mechanisms, such as (a) a site-administrator-controlled
878 mechanism to authorize the use of a client certificate with a given
879 account or (b) a domain-name-matching mechanism.
880
881 Note: The requirement that the server request a certificate is just a
882 restatement of the TLS protocol rules, e.g., Section 7.4.6 of
883 [RFC5246]. The requirement that the client not send a certificate
884 not known to be acceptable to the server is pragmatic in multiple
885 ways: the current TLS protocol provides no way for the client to know
886 which of the potentially multiple certificates it should use; also,
887 when the client sends a certificate, it is potentially disclosing its
888 identity (or its user's identity) to both the server and any party
889 with access to the transmission medium, perhaps unnecessarily and for
890 no useful purpose.
891
892
893
894
895
896
897
898Moore & Newman Standards Track [Page 16]
899
900RFC 8314 Use of TLS for Email Submission/Access January 2018
901
902
903 A client supporting client certificate authentication with Implicit
904 TLS MUST implement the SASL EXTERNAL mechanism [RFC4422], using the
905 appropriate authentication command (AUTH for POP3 [RFC5034], AUTH for
906 SMTP Submission [RFC4954], or AUTHENTICATE for IMAP [RFC3501]).
907
9086. Considerations Related to Antivirus/Antispam Software and Services
909
910 There are multiple ways to connect an AVAS service (e.g., "Antivirus
911 & Antispam") to a mail server. Some mechanisms, such as the de facto
912 "milter" protocol, are out of scope for this specification. However,
913 some services use an SMTP relay proxy that intercepts mail at the
914 application layer to perform a scan and proxy or forward to another
915 Mail Transfer Agent (MTA). Deploying AVAS services in this way can
916 cause many problems [RFC2979], including direct interference with
917 this specification, and other forms of confidentiality or security
918 reduction. An AVAS product or service is considered compatible with
919 this specification if all IMAP, POP, and SMTP-related software
920 (including proxies) it includes are compliant with this
921 specification.
922
923 Note that end-to-end email encryption prevents AVAS software and
924 services from using email content as part of a spam or virus
925 assessment. Furthermore, although a minimum confidentiality level
926 can prevent a man-in-the-middle from introducing spam or virus
927 content between the MUA and Submission server, it does not prevent
928 other forms of client or account compromise. The use of AVAS
929 services for submitted email therefore remains necessary.
930
9317. IANA Considerations
932
9337.1. POP3S Port Registration Update
934
935 IANA has updated the registration of the TCP well-known port 995
936 using the following template [RFC6335]:
937
938 Service Name: pop3s
939 Transport Protocol: TCP
940 Assignee: IESG <iesg@ietf.org>
941 Contact: IETF Chair <chair@ietf.org>
942 Description: POP3 over TLS protocol
943 Reference: RFC 8314
944 Port Number: 995
945
946
947
948
949
950
951
952
953
954Moore & Newman Standards Track [Page 17]
955
956RFC 8314 Use of TLS for Email Submission/Access January 2018
957
958
9597.2. IMAPS Port Registration Update
960
961 IANA has updated the registration of the TCP well-known port 993
962 using the following template [RFC6335]:
963
964 Service Name: imaps
965 Transport Protocol: TCP
966 Assignee: IESG <iesg@ietf.org>
967 Contact: IETF Chair <chair@ietf.org>
968 Description: IMAP over TLS protocol
969 Reference: RFC 8314
970 Port Number: 993
971
972 No changes to existing UDP port assignments for pop3s or imaps are
973 being requested.
974
9757.3. Submissions Port Registration
976
977 IANA has assigned an alternate usage of TCP port 465 in addition to
978 the current assignment using the following template [RFC6335]:
979
980 Service Name: submissions
981 Transport Protocol: TCP
982 Assignee: IESG <iesg@ietf.org>
983 Contact: IETF Chair <chair@ietf.org>
984 Description: Message Submission over TLS protocol
985 Reference: RFC 8314
986 Port Number: 465
987
988 This is a one-time procedural exception to the rules in [RFC6335].
989 This requires explicit IESG approval and does not set a precedent.
990 Note: Since the purpose of this alternate usage assignment is to
991 align with widespread existing practice and there is no known usage
992 of UDP port 465 for Message Submission over TLS, IANA has not
993 assigned an alternate usage of UDP port 465.
994
995 Historically, port 465 was briefly registered as the "smtps" port.
996 This registration made no sense, as the SMTP transport MX
997 infrastructure has no way to specify a port, so port 25 is always
998 used. As a result, the registration was revoked and was subsequently
999 reassigned to a different service. In hindsight, the "smtps"
1000 registration should have been renamed or reserved rather than
1001 revoked. Unfortunately, some widely deployed mail software
1002 interpreted "smtps" as "submissions" [RFC6409] and used that port for
1003 email submission by default when an end user requested security
1004 during account setup. If a new port is assigned for the submissions
1005 service, either (a) email software will continue with unregistered
1006 use of port 465 (leaving the port registry inaccurate relative to
1007
1008
1009
1010Moore & Newman Standards Track [Page 18]
1011
1012RFC 8314 Use of TLS for Email Submission/Access January 2018
1013
1014
1015 de facto practice and wasting a well-known port) or (b) confusion
1016 between the de facto and registered ports will cause harmful
1017 interoperability problems that will deter the use of TLS for Message
1018 Submission. The authors of this document believe that both of these
1019 outcomes are less desirable than a "wart" in the registry documenting
1020 real-world usage of a port for two purposes. Although STARTTLS on
1021 port 587 has been deployed, it has not replaced the deployed use of
1022 Implicit TLS submission on port 465.
1023
10247.4. Additional Registered Clauses for "Received" Fields
1025
1026 Per the provisions in [RFC5321], IANA has added two additional-
1027 registered-clauses for Received fields as defined in Section 4.3 of
1028 this document:
1029
1030 o "tls": Indicates the TLS cipher used (if applicable)
1031
1032 o "group": Indicates the Diffie-Hellman group used with the TLS
1033 cipher (if applicable)
1034
1035 The descriptions and syntax of these additional clauses are provided
1036 in Section 4.3 of this document.
1037
10388. Security Considerations
1039
1040 This entire document is about security considerations. In general,
1041 this is targeted to improve mail confidentiality and to mitigate
1042 threats external to the email system such as network-level snooping
1043 or interception; this is not intended to mitigate active attackers
1044 who have compromised service provider systems.
1045
1046 Implementers should be aware that the use of client certificates with
1047 TLS 1.2 reveals the user's identity to any party with the ability to
1048 read packets from the transmission medium and therefore may
1049 compromise the user's privacy. There seems to be no easy fix with
1050 TLS 1.2 or earlier versions, other than to avoid presenting client
1051 certificates except when there is explicit authorization to do so.
1052 TLS 1.3 [TLS-1.3] appears to reduce this privacy risk somewhat.
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066Moore & Newman Standards Track [Page 19]
1067
1068RFC 8314 Use of TLS for Email Submission/Access January 2018
1069
1070
10719. References
1072
10739.1. Normative References
1074
1075 [RFC793] Postel, J., "Transmission Control Protocol", STD 7,
1076 RFC 793, DOI 10.17487/RFC0793, September 1981,
1077 <https://www.rfc-editor.org/info/rfc793>.
1078
1079 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
1080 STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996,
1081 <https://www.rfc-editor.org/info/rfc1939>.
1082
1083 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1084 Requirement Levels", BCP 14, RFC 2119,
1085 DOI 10.17487/RFC2119, March 1997,
1086 <https://www.rfc-editor.org/info/rfc2119>.
1087
1088 [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
1089 Transport Layer Security", RFC 3207, DOI 10.17487/RFC3207,
1090 February 2002, <https://www.rfc-editor.org/info/rfc3207>.
1091
1092 [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL -
1093 VERSION 4rev1", RFC 3501, DOI 10.17487/RFC3501,
1094 March 2003, <https://www.rfc-editor.org/info/rfc3501>.
1095
1096 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1097 Rose, "DNS Security Introduction and Requirements",
1098 RFC 4033, DOI 10.17487/RFC4033, March 2005,
1099 <https://www.rfc-editor.org/info/rfc4033>.
1100
1101 [RFC5034] Siemborski, R. and A. Menon-Sen, "The Post Office Protocol
1102 (POP3) Simple Authentication and Security Layer (SASL)
1103 Authentication Mechanism", RFC 5034, DOI 10.17487/RFC5034,
1104 July 2007, <https://www.rfc-editor.org/info/rfc5034>.
1105
1106 [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for
1107 Syntax Specifications: ABNF", STD 68, RFC 5234,
1108 DOI 10.17487/RFC5234, January 2008,
1109 <https://www.rfc-editor.org/info/rfc5234>.
1110
1111 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
1112 (TLS) Protocol Version 1.2", RFC 5246,
1113 DOI 10.17487/RFC5246, August 2008,
1114 <https://www.rfc-editor.org/info/rfc5246>.
1115
1116
1117
1118
1119
1120
1121
1122Moore & Newman Standards Track [Page 20]
1123
1124RFC 8314 Use of TLS for Email Submission/Access January 2018
1125
1126
1127 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1128 Housley, R., and W. Polk, "Internet X.509 Public Key
1129 Infrastructure Certificate and Certificate Revocation List
1130 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
1131 <https://www.rfc-editor.org/info/rfc5280>.
1132
1133 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
1134 DOI 10.17487/RFC5322, October 2008,
1135 <https://www.rfc-editor.org/info/rfc5322>.
1136
1137 [RFC6186] Daboo, C., "Use of SRV Records for Locating Email
1138 Submission/Access Services", RFC 6186,
1139 DOI 10.17487/RFC6186, March 2011,
1140 <https://www.rfc-editor.org/info/rfc6186>.
1141
1142 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
1143 STD 72, RFC 6409, DOI 10.17487/RFC6409, November 2011,
1144 <https://www.rfc-editor.org/info/rfc6409>.
1145
1146 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
1147 of Named Entities (DANE) Transport Layer Security (TLS)
1148 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698,
1149 August 2012, <https://www.rfc-editor.org/info/rfc6698>.
1150
1151 [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
1152 "Recommendations for Secure Use of Transport Layer
1153 Security (TLS) and Datagram Transport Layer Security
1154 (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525,
1155 May 2015, <https://www.rfc-editor.org/info/rfc7525>.
1156
1157 [RFC7672] Dukhovni, V. and W. Hardaker, "SMTP Security via
1158 Opportunistic DNS-Based Authentication of Named Entities
1159 (DANE) Transport Layer Security (TLS)", RFC 7672,
1160 DOI 10.17487/RFC7672, October 2015,
1161 <https://www.rfc-editor.org/info/rfc7672>.
1162
1163 [RFC7817] Melnikov, A., "Updated Transport Layer Security (TLS)
1164 Server Identity Check Procedure for Email-Related
1165 Protocols", RFC 7817, DOI 10.17487/RFC7817, March 2016,
1166 <https://www.rfc-editor.org/info/rfc7817>.
1167
1168 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
1169 RFC 2119 Key Words", BCP 14, RFC 8174,
1170 DOI 10.17487/RFC8174, May 2017,
1171 <https://www.rfc-editor.org/info/rfc8174>.
1172
1173
1174
1175
1176
1177
1178Moore & Newman Standards Track [Page 21]
1179
1180RFC 8314 Use of TLS for Email Submission/Access January 2018
1181
1182
11839.2. Informative References
1184
1185 [CERT-555316]
1186 CERT, "Vulnerability Note VU#555316: STARTTLS plaintext
1187 command injection vulnerability", Carnegie Mellon
1188 University Software Engineering Institute, September 2011,
1189 <https://www.kb.cert.org/vuls/id/555316>.
1190
1191 [Email-TLS]
1192 Moore, K., "Recommendations for use of TLS by Electronic
1193 Mail Access Protocols", Work in Progress, draft-moore-
1194 email-tls-00, October 2013.
1195
1196 [MTA-STS] Margolis, D., Risher, M., Ramakrishnan, B., Brotman, A.,
1197 and J. Jones, "SMTP MTA Strict Transport Security
1198 (MTA-STS)", Work in Progress, draft-ietf-uta-mta-sts-14,
1199 January 2018.
1200
1201 [POP3-over-TLS]
1202 Melnikov, A., Newman, C., and M. Yevstifeyev, Ed., "POP3
1203 over TLS", Work in Progress, draft-melnikov-pop3-
1204 over-tls-02, August 2011.
1205
1206 [RFC2595] Newman, C., "Using TLS with IMAP, POP3 and ACAP",
1207 RFC 2595, DOI 10.17487/RFC2595, June 1999,
1208 <https://www.rfc-editor.org/info/rfc2595>.
1209
1210 [RFC2979] Freed, N., "Behavior of and Requirements for Internet
1211 Firewalls", RFC 2979, DOI 10.17487/RFC2979, October 2000,
1212 <https://www.rfc-editor.org/info/rfc2979>.
1213
1214 [RFC3848] Newman, C., "ESMTP and LMTP Transmission Types
1215 Registration", RFC 3848, DOI 10.17487/RFC3848, July 2004,
1216 <https://www.rfc-editor.org/info/rfc3848>.
1217
1218 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
1219 (TLS) Protocol Version 1.1", RFC 4346,
1220 DOI 10.17487/RFC4346, April 2006,
1221 <https://www.rfc-editor.org/info/rfc4346>.
1222
1223 [RFC4422] Melnikov, A., Ed., and K. Zeilenga, Ed., "Simple
1224 Authentication and Security Layer (SASL)", RFC 4422,
1225 DOI 10.17487/RFC4422, June 2006,
1226 <https://www.rfc-editor.org/info/rfc4422>.
1227
1228
1229
1230
1231
1232
1233
1234Moore & Newman Standards Track [Page 22]
1235
1236RFC 8314 Use of TLS for Email Submission/Access January 2018
1237
1238
1239 [RFC4954] Siemborski, R., Ed., and A. Melnikov, Ed., "SMTP Service
1240 Extension for Authentication", RFC 4954,
1241 DOI 10.17487/RFC4954, July 2007,
1242 <https://www.rfc-editor.org/info/rfc4954>.
1243
1244 [RFC5068] Hutzler, C., Crocker, D., Resnick, P., Allman, E., and T.
1245 Finch, "Email Submission Operations: Access and
1246 Accountability Requirements", BCP 134, RFC 5068,
1247 DOI 10.17487/RFC5068, November 2007,
1248 <https://www.rfc-editor.org/info/rfc5068>.
1249
1250 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
1251 DOI 10.17487/RFC5321, October 2008,
1252 <https://www.rfc-editor.org/info/rfc5321>.
1253
1254 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
1255 Extensions: Extension Definitions", RFC 6066,
1256 DOI 10.17487/RFC6066, January 2011,
1257 <https://www.rfc-editor.org/info/rfc6066>.
1258
1259 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
1260 Verification of Domain-Based Application Service Identity
1261 within Internet Public Key Infrastructure Using X.509
1262 (PKIX) Certificates in the Context of Transport Layer
1263 Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
1264 March 2011, <https://www.rfc-editor.org/info/rfc6125>.
1265
1266 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
1267 Cheshire, "Internet Assigned Numbers Authority (IANA)
1268 Procedures for the Management of the Service Name and
1269 Transport Protocol Port Number Registry", BCP 165,
1270 RFC 6335, DOI 10.17487/RFC6335, August 2011,
1271 <https://www.rfc-editor.org/info/rfc6335>.
1272
1273 [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning
1274 Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469,
1275 April 2015, <https://www.rfc-editor.org/info/rfc7469>.
1276
1277 [TLS-1.3] Rescorla, E., "The Transport Layer Security (TLS) Protocol
1278 Version 1.3", Work in Progress, draft-ietf-tls-tls13-23,
1279 January 2018.
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290Moore & Newman Standards Track [Page 23]
1291
1292RFC 8314 Use of TLS for Email Submission/Access January 2018
1293
1294
1295Appendix A. Design Considerations
1296
1297 This section is not normative.
1298
1299 The first version of this document was written independently from the
1300 October 2013 version of [Email-TLS] ("Recommendations for use of TLS
1301 by Electronic Mail Access Protocols"). Subsequent versions merge
1302 ideas from both documents.
1303
1304 One author of this document was also the author of RFC 2595, which
1305 became the standard for TLS usage with POP and IMAP, and the other
1306 author was perhaps the first to propose that idea. In hindsight,
1307 both authors now believe that that approach was a mistake. At this
1308 point, the authors believe that while anything that makes it easier
1309 to deploy TLS is good, the desirable end state is that these
1310 protocols always use TLS, leaving no need for a separate port for
1311 cleartext operation except to support legacy clients while they
1312 continue to be used. The separate-port model for TLS is inherently
1313 simpler to implement, debug, and deploy. It also enables a "generic
1314 TLS load-balancer" that accepts secure client connections for
1315 arbitrary foo-over-TLS protocols and forwards them to a server that
1316 may or may not support TLS. Such load-balancers cause many problems
1317 because they violate the end-to-end principle and the server loses
1318 the ability to log security-relevant information about the client
1319 unless the protocol is designed to forward that information (as this
1320 specification does for the ciphersuite). However, they can result in
1321 TLS deployment where it would not otherwise happen, which is a
1322 sufficiently important goal that it overrides any problems.
1323
1324 Although STARTTLS appears only slightly more complex than
1325 separate-port TLS, we again learned the lesson that complexity is the
1326 enemy of security in the form of the STARTTLS command injection
1327 vulnerability (Computer Emergency Readiness Team (CERT) vulnerability
1328 ID #555316 [CERT-555316]). Although there's nothing inherently wrong
1329 with STARTTLS, the fact that it resulted in a common implementation
1330 error (made independently by multiple implementers) suggests that it
1331 is a less secure architecture than Implicit TLS.
1332
1333 Section 7 of RFC 2595 critiques the separate-port approach to TLS.
1334 The first bullet was a correct critique. There are proposals in the
1335 HTTP community to address that, and the use of SRV records as
1336 described in RFC 6186 resolves that critique for email. The second
1337 bullet is correct as well but is not very important because useful
1338 deployment of security layers other than TLS in email is small enough
1339 to be effectively irrelevant. (Also, it's less correct than it used
1340 to be because "export" ciphersuites are no longer supported in modern
1341 versions of TLS.) The third bullet is incorrect because it misses
1342 the desirable option of "use TLS for all subsequent connections to
1343
1344
1345
1346Moore & Newman Standards Track [Page 24]
1347
1348RFC 8314 Use of TLS for Email Submission/Access January 2018
1349
1350
1351 this server once TLS is successfully negotiated". The fourth bullet
1352 may be correct, but it is not a problem yet with current port
1353 consumption rates. The fundamental error was prioritizing a
1354 perceived better design based on a mostly valid critique over
1355 real-world deployability. But getting security and confidentiality
1356 facilities actually deployed is so important that it should trump
1357 design purity considerations.
1358
1359 Port 465 is presently used for two purposes: for submissions by a
1360 large number of clients and service providers and for the "urd"
1361 protocol by one vendor. Actually documenting this current state is
1362 controversial, as discussed in the IANA Considerations section.
1363 However, there is no good alternative. Registering a new port for
1364 submissions when port 465 is already widely used for that purpose
1365 will just create interoperability problems. Registering a port
1366 that's only used if advertised by an SRV record (RFC 6186) would not
1367 create interoperability problems but would require all client
1368 deployments, server deployments, and software to change
1369 significantly, which is contrary to the goal of promoting the
1370 increased use of TLS. Encouraging the use of STARTTLS on port 587
1371 would not create interoperability problems, but it is unlikely to
1372 have any impact on the current undocumented use of port 465 and makes
1373 the guidance in this document less consistent. The remaining option
1374 is to document the current state of the world and support future use
1375 of port 465 for submission, as this increases consistency and ease of
1376 deployment for TLS email submission.
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402Moore & Newman Standards Track [Page 25]
1403
1404RFC 8314 Use of TLS for Email Submission/Access January 2018
1405
1406
1407Acknowledgements
1408
1409 Thanks to Ned Freed for discussion of the initial concepts in this
1410 document. Thanks to Alexey Melnikov for [POP3-over-TLS], which was
1411 the basis of the POP3 Implicit TLS text. Thanks to Russ Housley,
1412 Alexey Melnikov, and Dan Newman for review feedback. Thanks to
1413 Paul Hoffman for interesting feedback in initial conversations about
1414 this idea.
1415
1416Authors' Addresses
1417
1418 Keith Moore
1419 Windrock, Inc.
1420 PO Box 1934
1421 Knoxville, TN 37901
1422 United States of America
1423
1424 Email: moore@network-heretics.com
1425
1426
1427 Chris Newman
1428 Oracle
1429 440 E. Huntington Dr., Suite 400
1430 Arcadia, CA 91006
1431 United States of America
1432
1433 Email: chris.newman@oracle.com
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458Moore & Newman Standards Track [Page 26]
1459
1460