1
2
3
4
5
6
7Internet Engineering Task Force (IETF) V. Dukhovni
8Request for Comments: 7672 Two Sigma
9Category: Standards Track W. Hardaker
10ISSN: 2070-1721 Parsons
11 October 2015
12
13
14 SMTP Security via Opportunistic DNS-Based Authentication of Named
15 Entities (DANE) Transport Layer Security (TLS)
16
17Abstract
18
19 This memo describes a downgrade-resistant protocol for SMTP transport
20 security between Message Transfer Agents (MTAs), based on the DNS-
21 Based Authentication of Named Entities (DANE) TLSA DNS record.
22 Adoption of this protocol enables an incremental transition of the
23 Internet email backbone to one using encrypted and authenticated
24 Transport Layer Security (TLS).
25
26Status of This Memo
27
28 This is an Internet Standards Track document.
29
30 This document is a product of the Internet Engineering Task Force
31 (IETF). It represents the consensus of the IETF community. It has
32 received public review and has been approved for publication by the
33 Internet Engineering Steering Group (IESG). Further information on
34 Internet Standards is available in Section 2 of RFC 5741.
35
36 Information about the current status of this document, any errata,
37 and how to provide feedback on it may be obtained at
38 http://www.rfc-editor.org/info/rfc7672.
39
40Copyright Notice
41
42 Copyright (c) 2015 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
44
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
54
55
56
57
58Dukhovni & Hardaker Standards Track [Page 1]
59
60RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
61
62
63Table of Contents
64
65 1. Introduction ....................................................3
66 1.1. Terminology ................................................4
67 1.2. Background .................................................6
68 1.3. SMTP Channel Security ......................................6
69 1.3.1. STARTTLS Downgrade Attack ...........................7
70 1.3.2. Insecure Server Name without DNSSEC .................7
71 1.3.3. Sender Policy Does Not Scale ........................8
72 1.3.4. Too Many Certification Authorities ..................9
73 2. Identifying Applicable TLSA Records .............................9
74 2.1. DNS Considerations .........................................9
75 2.1.1. DNS Errors, "Bogus" Responses, and
76 "Indeterminate" Responses ...........................9
77 2.1.2. DNS Error Handling .................................11
78 2.1.3. Stub Resolver Considerations .......................12
79 2.2. TLS Discovery .............................................13
80 2.2.1. MX Resolution ......................................14
81 2.2.2. Non-MX Destinations ................................16
82 2.2.3. TLSA Record Lookup .................................18
83 3. DANE Authentication ............................................20
84 3.1. TLSA Certificate Usages ...................................20
85 3.1.1. Certificate Usage DANE-EE(3) .......................21
86 3.1.2. Certificate Usage DANE-TA(2) .......................22
87 3.1.3. Certificate Usages PKIX-TA(0) and PKIX-EE(1) .......23
88 3.2. Certificate Matching ......................................24
89 3.2.1. DANE-EE(3) Name Checks .............................24
90 3.2.2. DANE-TA(2) Name Checks .............................24
91 3.2.3. Reference Identifier Matching ......................25
92 4. Server Key Management ..........................................26
93 5. Digest Algorithm Agility .......................................27
94 6. Mandatory TLS Security .........................................27
95 7. Note on DANE for Message User Agents ...........................28
96 8. Interoperability Considerations ................................28
97 8.1. SNI Support ...............................................28
98 8.2. Anonymous TLS Cipher Suites ...............................29
99 9. Operational Considerations .....................................29
100 9.1. Client Operational Considerations .........................29
101 9.2. Publisher Operational Considerations ......................30
102 10. Security Considerations .......................................30
103 11. References ....................................................31
104 11.1. Normative References .....................................31
105 11.2. Informative References ...................................33
106 Acknowledgements ..................................................34
107 Authors' Addresses ................................................34
108
109
110
111
112
113
114Dukhovni & Hardaker Standards Track [Page 2]
115
116RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
117
118
1191. Introduction
120
121 This memo specifies a new connection security model for Message
122 Transfer Agents (MTAs). This model is motivated by key features of
123 inter-domain SMTP delivery, principally, the fact that the
124 destination server is selected indirectly via DNS Mail Exchange (MX)
125 records and that neither email addresses nor MX hostnames signal a
126 requirement for either secure or cleartext transport. Therefore,
127 aside from a few manually configured exceptions, SMTP transport
128 security is, by necessity, opportunistic (for a definition of
129 "Opportunistic Security", see [RFC7435]).
130
131 This specification uses the presence of DANE TLSA records to securely
132 signal TLS support and to publish the means by which SMTP clients can
133 successfully authenticate legitimate SMTP servers. This becomes
134 "opportunistic DANE TLS" and is resistant to downgrade and
135 man-in-the-middle (MITM) attacks. It enables an incremental
136 transition of the email backbone to authenticated TLS delivery, with
137 increased global protection as adoption increases.
138
139 With opportunistic DANE TLS, traffic from SMTP clients to domains
140 that publish "usable" DANE TLSA records in accordance with this memo
141 is authenticated and encrypted. Traffic from legacy clients or to
142 domains that do not publish TLSA records will continue to be sent in
143 the same manner as before, via manually configured security,
144 (pre-DANE) opportunistic TLS, or just cleartext SMTP.
145
146 Problems with the existing use of TLS in MTA-to-MTA SMTP that
147 motivate this specification are described in Section 1.3. The
148 specification itself follows, in Sections 2 and 3, which describe,
149 respectively, how to locate and use DANE TLSA records with SMTP. In
150 Section 6, we discuss the application of DANE TLS to destinations for
151 which channel integrity and confidentiality are mandatory. In
152 Section 7, we briefly comment on the potential applicability of this
153 specification to Message User Agents.
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170Dukhovni & Hardaker Standards Track [Page 3]
171
172RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
173
174
1751.1. Terminology
176
177 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
178 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
179 "OPTIONAL" in this document are to be interpreted as described in
180 [RFC2119].
181
182 The following terms or concepts are used throughout this document:
183
184 Man-in-the-middle (MITM) attack: Active modification of network
185 traffic by an adversary able to thereby compromise the
186 confidentiality or integrity of the data.
187
188 Downgrade attack: (From [RFC4949].) A type of MITM attack in which
189 the attacker can cause two parties, at the time they negotiate a
190 security association, to agree on a lower level of protection than
191 the highest level that could have been supported by both of them.
192
193 Downgrade-resistant: A protocol is "downgrade-resistant" if it
194 employs effective countermeasures against downgrade attacks.
195
196 "Secure", "bogus", "insecure", "indeterminate": DNSSEC validation
197 results, as defined in Section 4.3 of [RFC4035].
198
199 Validating security-aware stub resolver and non-validating
200 security-aware stub resolver:
201 Capabilities of the stub resolver in use, as defined in [RFC4033];
202 note that this specification requires the use of a security-aware
203 stub resolver.
204
205 (Pre-DANE) opportunistic TLS: Best-effort use of TLS that is
206 generally vulnerable to DNS forgery and STARTTLS downgrade
207 attacks. When a TLS-encrypted communication channel is not
208 available, message transmission takes place in the clear. MX
209 record indirection generally precludes authentication even when
210 TLS is available.
211
212 Opportunistic DANE TLS: Best-effort use of TLS that is resistant to
213 downgrade attacks for destinations with DNSSEC-validated TLSA
214 records. When opportunistic DANE TLS is determined to be
215 unavailable, clients should fall back to pre-DANE opportunistic
216 TLS. Opportunistic DANE TLS requires support for DNSSEC, DANE,
217 and STARTTLS on the client side, and STARTTLS plus a DNSSEC
218 published TLSA record on the server side.
219
220
221
222
223
224
225
226Dukhovni & Hardaker Standards Track [Page 4]
227
228RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
229
230
231 Reference identifier: (Special case of [RFC6125] definition.) One
232 of the domain names associated by the SMTP client with the
233 destination SMTP server for performing name checks on the server
234 certificate. When name checks are applicable, at least one of the
235 reference identifiers MUST match an [RFC6125] DNS-ID (or, if none
236 are present, the [RFC6125] CN-ID) of the server certificate (see
237 Section 3.2.3).
238
239 MX hostname: The RRDATA of an MX record consists of a 16 bit
240 preference followed by a Mail Exchange domain name (see [RFC1035],
241 Section 3.3.9). We will use the term "MX hostname" to refer to
242 the latter, that is, the DNS domain name found after the
243 preference value in an MX record. Thus, an "MX hostname" is
244 specifically a reference to a DNS domain name rather than any host
245 that bears that name.
246
247 Delayed delivery: Email delivery is a multi-hop store-and-forward
248 process. When an MTA is unable to forward a message that may
249 become deliverable later, the message is queued and delivery is
250 retried periodically. Some MTAs may be configured with a fallback
251 next-hop destination that handles messages that the MTA would
252 otherwise queue and retry. When a fallback next-hop destination
253 is configured, messages that would otherwise have to be delayed
254 may be sent to the fallback next-hop destination instead. The
255 fallback destination may itself be subject to opportunistic or
256 mandatory DANE TLS (Section 6) as though it were the original
257 message destination.
258
259 Original next-hop destination: The logical destination for mail
260 delivery. By default, this is the domain portion of the recipient
261 address, but MTAs may be configured to forward mail for some or
262 all recipients via designated relays. The original next-hop
263 destination is, respectively, either the recipient domain or the
264 associated configured relay.
265
266 MTA: Message Transfer Agent ([RFC5598], Section 4.3.2).
267
268 MSA: Message Submission Agent ([RFC5598], Section 4.3.1).
269
270 MUA: Message User Agent ([RFC5598], Section 4.2.1).
271
272 RR: A DNS resource record as defined in [RFC1034], Section 3.6.
273
274 RRset: An RRset ([RFC2181], Section 5) is a group of DNS resource
275 records that share the same label, class, and type.
276
277
278
279
280
281
282Dukhovni & Hardaker Standards Track [Page 5]
283
284RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
285
286
2871.2. Background
288
289 The Domain Name System Security Extensions (DNSSEC) add data origin
290 authentication, data integrity, and data nonexistence proofs to the
291 Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034],
292 and [RFC4035].
293
294 As described in the introduction of [RFC6698], TLS authentication via
295 the existing public Certification Authority (CA) PKI suffers from an
296 overabundance of trusted parties capable of issuing certificates for
297 any domain of their choice. DANE leverages the DNSSEC infrastructure
298 to publish public keys and certificates for use with the Transport
299 Layer Security (TLS) [RFC5246] protocol via the "TLSA" DNS record
300 type. With DNSSEC, each domain can only vouch for the keys of its
301 delegated sub-domains.
302
303 The TLS protocol enables secure TCP communication. In the context of
304 this memo, channel security is assumed to be provided by TLS. Used
305 without authentication, TLS provides only privacy protection against
306 eavesdropping attacks. Otherwise, TLS also provides data origin
307 authentication to guard against MITM attacks.
308
3091.3. SMTP Channel Security
310
311 With HTTPS, TLS employs X.509 certificates [RFC5280] issued by one of
312 the many CAs bundled with popular web browsers to allow users to
313 authenticate their "secure" websites. Before we specify a new DANE
314 TLS security model for SMTP, we will explain why a new security model
315 is needed. In the process, we will explain why the familiar HTTPS
316 security model is inadequate to protect inter-domain SMTP traffic.
317
318 The subsections below outline four key problems with applying
319 traditional Web PKI [RFC7435] to SMTP; these problems are addressed
320 by this specification. Since an SMTP channel security policy is not
321 explicitly specified in either the recipient address or the MX
322 record, a new signaling mechanism is required to indicate when
323 channel security is possible and should be used. The publication of
324 TLSA records allows server operators to securely signal to SMTP
325 clients that TLS is available and should be used. DANE TLSA makes it
326 possible to simultaneously discover which destination domains support
327 secure delivery via TLS and how to verify the authenticity of the
328 associated SMTP services, providing a path forward to ubiquitous SMTP
329 channel security.
330
331
332
333
334
335
336
337
338Dukhovni & Hardaker Standards Track [Page 6]
339
340RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
341
342
3431.3.1. STARTTLS Downgrade Attack
344
345 SMTP [RFC5321] is a single-hop protocol in a multi-hop store-and-
346 forward email delivery process. An SMTP envelope recipient address
347 does not correspond to a specific transport-layer endpoint address;
348 rather, at each relay hop, the transport-layer endpoint is the
349 next-hop relay, while the envelope recipient address typically
350 remains the same. Unlike HTTP and its corresponding secured version,
351 HTTPS, where the use of TLS is signaled via the URI scheme, email
352 recipient addresses do not directly signal transport security policy.
353 Indeed, no such signaling could work well with SMTP, since TLS
354 encryption of SMTP protects email traffic on a hop-by-hop basis while
355 email addresses could only express end-to-end policy.
356
357 With no mechanism available to signal transport security policy, SMTP
358 relays employ a best-effort "opportunistic" security model for TLS.
359 A single SMTP server TCP listening endpoint can serve both TLS and
360 non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS
361 command [RFC3207]. The server signals TLS support to the client over
362 a cleartext SMTP connection, and, if the client also supports TLS, it
363 may negotiate a TLS-encrypted channel to use for email transmission.
364 The server's indication of TLS support can be easily suppressed by an
365 MITM attacker. Thus, pre-DANE SMTP TLS security can be subverted by
366 simply downgrading a connection to cleartext. No TLS security
367 feature can prevent this. The attacker can simply disable TLS.
368
3691.3.2. Insecure Server Name without DNSSEC
370
371 With SMTP, DNS MX records abstract the next-hop transport endpoint
372 and allow administrators to specify a set of target servers to which
373 SMTP traffic should be directed for a given domain.
374
375 A TLS client is vulnerable to MITM attacks unless it verifies that
376 the server's certificate binds the public key to a name that matches
377 one of the client's reference identifiers. A natural choice of
378 reference identifier is the server's domain name. However, with
379 SMTP, server names are not directly encoded in the recipient address;
380 instead, they are obtained indirectly via MX records. Without
381 DNSSEC, the MX lookup is vulnerable to MITM and DNS cache poisoning
382 attacks. Active attackers can forge DNS replies with fake MX records
383 and can redirect email to servers with names of their choice.
384 Therefore, secure verification of SMTP TLS certificates matching the
385 server name is not possible without DNSSEC.
386
387
388
389
390
391
392
393
394Dukhovni & Hardaker Standards Track [Page 7]
395
396RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
397
398
399 One might try to harden TLS for SMTP against DNS attacks by using the
400 envelope recipient domain as a reference identifier and by requiring
401 each SMTP server to possess a trusted certificate for the envelope
402 recipient domain rather than the MX hostname. Unfortunately, this is
403 impractical, as email for many domains is handled by third parties
404 that are not in a position to obtain certificates for all the domains
405 they serve. Deployment of the Server Name Indication (SNI) extension
406 to TLS (see Section 3 of [RFC6066]) is no panacea, since SNI key
407 management is operationally challenging except when the email service
408 provider is also the domain's registrar and its certificate issuer;
409 this is rarely the case for email.
410
411 Since the recipient domain name cannot be used as the SMTP server
412 reference identifier, and neither can the MX hostname without DNSSEC,
413 large-scale deployment of authenticated TLS for SMTP requires that
414 the DNS be secure.
415
416 Since SMTP security depends critically on DNSSEC, it is important to
417 point out that SMTP with DANE is consequently the most conservative
418 possible trust model. It trusts only what must be trusted and no
419 more. Adding any other trusted actors to the mix can only reduce
420 SMTP security. A sender may choose to further harden DNSSEC for
421 selected high-value receiving domains by configuring explicit trust
422 anchors for those domains instead of relying on the chain of trust
423 from the root domain. However, detailed discussion of DNSSEC
424 security practices is out of scope for this document.
425
4261.3.3. Sender Policy Does Not Scale
427
428 Sending systems are in some cases explicitly configured to use TLS
429 for mail sent to selected peer domains, but this requires configuring
430 sending MTAs with appropriate subject names or certificate content
431 digests from their peer domains. Due to the resulting administrative
432 burden, such statically configured SMTP secure channels are used
433 rarely (generally only between domains that make bilateral
434 arrangements with their business partners). Internet email, on the
435 other hand, requires regularly contacting new domains for which
436 security configurations cannot be established in advance.
437
438 The abstraction of the SMTP transport endpoint via DNS MX records,
439 often across organizational boundaries, limits the use of public CA
440 PKI with SMTP to a small set of sender-configured peer domains. With
441 little opportunity to use TLS authentication, sending MTAs are rarely
442 configured with a comprehensive list of trusted CAs. SMTP services
443 that support STARTTLS often deploy X.509 certificates that are
444 self-signed or issued by a private CA.
445
446
447
448
449
450Dukhovni & Hardaker Standards Track [Page 8]
451
452RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
453
454
4551.3.4. Too Many Certification Authorities
456
457 Even if it were generally possible to determine a secure server name,
458 the SMTP client would still need to verify that the server's
459 certificate chain is issued by a trusted CA (a trust anchor). MTAs
460 are not interactive applications where a human operator can make a
461 decision (wisely or otherwise) to selectively disable TLS security
462 policy when certificate chain verification fails. With no user to
463 "click OK", the MTA's list of public CA trust anchors would need to
464 be comprehensive in order to avoid bouncing mail addressed to sites
465 that employ unknown CAs.
466
467 On the other hand, each trusted CA can issue certificates for any
468 domain. If even one of the configured CAs is compromised or operated
469 by an adversary, it can subvert TLS security for all destinations.
470 Any set of CAs is simultaneously both overly inclusive and not
471 inclusive enough.
472
4732. Identifying Applicable TLSA Records
474
4752.1. DNS Considerations
476
4772.1.1. DNS Errors, "Bogus" Responses, and "Indeterminate" Responses
478
479 An SMTP client that implements opportunistic DANE TLS per this
480 specification depends critically on the integrity of DNSSEC lookups,
481 as discussed in Section 1.3.2. This section lists the DNS resolver
482 requirements needed to avoid downgrade attacks when using
483 opportunistic DANE TLS.
484
485 A DNS lookup may signal an error or return a definitive answer. A
486 security-aware resolver MUST be used for this specification.
487 Security-aware resolvers will indicate the security status of a DNS
488 RRset with one of four possible values defined in Section 4.3 of
489 [RFC4035]: "secure", "insecure", "bogus", and "indeterminate". In
490 [RFC4035], the meaning of the "indeterminate" security status is:
491
492 An RRset for which the resolver is not able to determine whether
493 the RRset should be signed, as the resolver is not able to obtain
494 the necessary DNSSEC RRs. This can occur when the security-aware
495 resolver is not able to contact security-aware name servers for
496 the relevant zones.
497
498 Note that the "indeterminate" security status has a conflicting
499 definition in Section 5 of [RFC4033]:
500
501 There is no trust anchor that would indicate that a specific
502 portion of the tree is secure.
503
504
505
506Dukhovni & Hardaker Standards Track [Page 9]
507
508RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
509
510
511 In this document, the term "indeterminate" will be used exclusively
512 in the [RFC4035] sense. Therefore, obtaining "indeterminate" lookup
513 results is a (transient) failure condition, namely, the inability to
514 locate the relevant DNS records. DNS records that would be
515 classified "indeterminate" in the sense of [RFC4035] are simply
516 classified as "insecure".
517
518 We do not need to distinguish between zones that lack a suitable
519 ancestor trust anchor, and delegations (ultimately) from a trust
520 anchor that designate a child zone as being "insecure". All
521 "insecure" RRsets MUST be handled identically: in either case,
522 non-validated data for the query domain is all that is and can be
523 available, and authentication using the data is impossible. As the
524 DNS root zone has been signed, we expect that validating resolvers
525 used by Internet-facing MTAs will be configured with trust anchor
526 data for the root zone and that therefore domains with no ancestor
527 trust anchor will not be possible in most deployments.
528
529 As noted in Section 4.3 of [RFC4035], a security-aware DNS resolver
530 MUST be able to determine whether a given non-error DNS response is
531 "secure", "insecure", "bogus", or "indeterminate". It is expected
532 that most security-aware stub resolvers will not signal an
533 "indeterminate" security status (in the sense of [RFC4035]) to the
534 application and will instead signal a "bogus" or error result. If a
535 resolver does signal an [RFC4035] "indeterminate" security status,
536 this MUST be treated by the SMTP client as though a "bogus" or error
537 result had been returned.
538
539 An MTA using a non-validating security-aware stub resolver MAY use
540 the stub resolver's ability, if available, to signal DNSSEC
541 validation status based on information the stub resolver has learned
542 from an upstream validating recursive resolver. Security-oblivious
543 stub resolvers [RFC4033] MUST NOT be used. In accordance with
544 Section 4.9.3 of [RFC4035]:
545
546 ... a security-aware stub resolver MUST NOT place any reliance on
547 signature validation allegedly performed on its behalf, except
548 when the security-aware stub resolver obtained the data in
549 question from a trusted security-aware recursive name server via a
550 secure channel.
551
552 To avoid much repetition in the text below, we will pause to explain
553 the handling of "bogus" or "indeterminate" DNSSEC query responses.
554 These are not necessarily the result of a malicious actor; they can,
555 for example, occur when network packets are corrupted or lost in
556 transit. Therefore, "bogus" or "indeterminate" replies are equated
557 in this memo with lookup failure.
558
559
560
561
562Dukhovni & Hardaker Standards Track [Page 10]
563
564RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
565
566
567 There is an important non-failure condition we need to highlight in
568 addition to the obvious case of the DNS client obtaining a non-empty
569 "secure" or "insecure" RRset of the requested type. Namely, it is
570 not an error when either "secure" or "insecure" nonexistence is
571 determined for the requested data. When a DNSSEC response with a
572 validation status that is either "secure" or "insecure" reports
573 either no records of the requested type or nonexistence of the query
574 domain, the response is not a DNS error condition. The DNS client
575 has not been left without an answer; it has learned that records of
576 the requested type do not exist.
577
578 Security-aware stub resolvers will, of course, also signal DNS lookup
579 errors in other cases, for example, when processing a "SERVFAIL"
580 [RFC2136] response code (RCODE) [RFC1035], which will not have an
581 associated DNSSEC status. All lookup errors are treated the same way
582 by this specification, regardless of whether they are from a "bogus"
583 or "indeterminate" DNSSEC status or from a more generic DNS error:
584 the information that was requested cannot be obtained by the
585 security-aware resolver at this time. Thus, a lookup error is either
586 a failure to obtain the relevant RRset if it exists or a failure to
587 determine that no such RRset exists when it does not.
588
589 In contrast to a "bogus" response or an "indeterminate" response, an
590 "insecure" DNSSEC response is not an error; rather, as explained
591 above, it indicates that the target DNS zone is either delegated as
592 an "insecure" child of a "secure" parent zone or not a descendant of
593 any of the configured DNSSEC trust anchors in use by the SMTP client.
594 "Insecure" results will leave the SMTP client with degraded channel
595 security but do not stand in the way of message delivery. See
596 Section 2.2 for further details.
597
5982.1.2. DNS Error Handling
599
600 When a DNS lookup failure (an error, "bogus", or "indeterminate", as
601 defined above) prevents an SMTP client from determining which SMTP
602 server or servers it should connect to, message delivery MUST be
603 delayed. This naturally includes, for example, the case when a
604 "bogus" or "indeterminate" response is encountered during MX
605 resolution. When multiple MX hostnames are obtained from a
606 successful MX lookup but a later DNS lookup failure prevents network
607 address resolution for a given MX hostname, delivery may proceed via
608 any remaining MX hosts.
609
610 When a particular SMTP server is securely identified as the delivery
611 destination, a set of DNS lookups (Section 2.2) MUST be performed to
612 locate any related TLSA records. If any DNS queries used to locate
613 TLSA records fail (due to "bogus" or "indeterminate" records,
614 timeouts, malformed replies, SERVFAIL responses, etc.), then the SMTP
615
616
617
618Dukhovni & Hardaker Standards Track [Page 11]
619
620RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
621
622
623 client MUST treat that server as unreachable and MUST NOT deliver the
624 message via that server. If no servers are reachable, delivery is
625 delayed.
626
627 In the text that follows, we will only describe what happens when all
628 relevant DNS queries succeed. If any DNS failure occurs, the SMTP
629 client MUST behave as described in this section, by "skipping" the
630 SMTP server or destination that is problematic. Queries for
631 candidate TLSA records are explicitly part of "all relevant DNS
632 queries", and SMTP clients MUST NOT continue to connect to an SMTP
633 server or destination whose TLSA record lookup fails.
634
6352.1.3. Stub Resolver Considerations
636
637 A note about DNAME aliases: a query for a domain name whose ancestor
638 domain is a DNAME alias returns the DNAME RR for the ancestor domain
639 along with a CNAME that maps the query domain to the corresponding
640 sub-domain of the target domain of the DNAME alias [RFC6672].
641 Therefore, whenever we speak of CNAME aliases, we implicitly allow
642 for the possibility that the alias in question is the result of an
643 ancestor domain DNAME record. Consequently, no explicit support for
644 DNAME records is needed in SMTP software; it is sufficient to process
645 the resulting CNAME aliases. DNAME records only require special
646 processing in the validating stub resolver library that checks the
647 integrity of the combined DNAME + CNAME reply. When DNSSEC
648 validation is handled by a local caching resolver rather than the MTA
649 itself, even that part of the DNAME support logic is outside the MTA.
650
651 When a stub resolver returns a response containing a CNAME alias that
652 does not also contain the corresponding query results for the target
653 of the alias, the SMTP client will need to repeat the query at the
654 target of the alias and should do so recursively up to some
655 configured or implementation-dependent recursion limit. If at any
656 stage of CNAME expansion an error is detected, the lookup of the
657 original requested records MUST be considered to have failed.
658
659 Whether a chain of CNAME records was returned in a single stub
660 resolver response or via explicit recursion by the SMTP client, if at
661 any stage of recursive expansion an "insecure" CNAME record is
662 encountered, then it and all subsequent results (in particular, the
663 final result) MUST be considered "insecure", regardless of whether or
664 not any earlier CNAME records leading to the "insecure" record were
665 "secure".
666
667 Note that a security-aware non-validating stub resolver may return to
668 the SMTP client an "insecure" reply received from a validating
669 recursive resolver that contains a CNAME record along with additional
670 answers recursively obtained starting at the target of the CNAME. In
671
672
673
674Dukhovni & Hardaker Standards Track [Page 12]
675
676RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
677
678
679 this case, the only possible conclusion is that some record in the
680 set of records returned is "insecure", and it is, in fact, possible
681 that the initial CNAME record and a subset of the subsequent records
682 are "secure".
683
684 If the SMTP client needs to determine the security status of the DNS
685 zone containing the initial CNAME record, it will need to issue a
686 separate query of type "CNAME" that returns only the initial CNAME
687 record. Specifically, as discussed in Section 2.2.2, when "insecure"
688 A or AAAA records are found for an SMTP server via a CNAME alias, the
689 SMTP client will need to perform an additional CNAME query in order
690 to determine whether or not the DNS zone in which the alias is
691 published is DNSSEC signed.
692
6932.2. TLS Discovery
694
695 As noted previously (in Section 1.3.1), opportunistic TLS with SMTP
696 servers that advertise TLS support via STARTTLS is subject to an MITM
697 downgrade attack. Also, some SMTP servers that are not, in fact, TLS
698 capable erroneously advertise STARTTLS by default, and clients need
699 to be prepared to retry cleartext delivery after STARTTLS fails. In
700 contrast, DNSSEC-validated TLSA records MUST NOT be published for
701 servers that do not support TLS. Clients can safely interpret their
702 presence as a commitment by the server operator to implement TLS and
703 STARTTLS.
704
705 This memo defines four actions to be taken after the search for a
706 TLSA record returns "secure" usable results, "secure" unusable
707 results, "insecure" or no results, or an error signal. The term
708 "usable" in this context is in the sense of Section 4.1 of [RFC6698]. ../smtpclient/gather.go:354
709 Specifically, if the DNS lookup for a TLSA record returns:
710
711 A "secure" TLSA RRset with at least one usable record: Any
712 connection to the MTA MUST employ TLS encryption and MUST
713 authenticate the SMTP server using the techniques discussed in the
714 rest of this document. Failure to establish an authenticated TLS
715 connection MUST result in falling back to the next SMTP server or
716 delayed delivery.
717
718 A "secure" non-empty TLSA RRset where all the records are unusable: 6698:1845 6698:660 ../queue/direct.go:467
719 Any connection to the MTA MUST be made via TLS, but authentication
720 is not required. Failure to establish an encrypted TLS connection
721 MUST result in falling back to the next SMTP server or delayed
722 delivery.
723
724
725
726
727
728
729
730Dukhovni & Hardaker Standards Track [Page 13]
731
732RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
733
734
735 An "insecure" TLSA RRset or DNSSEC-authenticated denial of existence
736 of the TLSA records:
737 A connection to the MTA SHOULD be made using (pre-DANE)
738 opportunistic TLS; this includes using cleartext delivery when the
739 remote SMTP server does not appear to support TLS. The MTA MAY
740 retry in cleartext when delivery via TLS fails during the
741 handshake or even during data transfer.
742
743 Any lookup error: Lookup errors, including "bogus" and
744 "indeterminate" as explained in Section 2.1.1, MUST result in
745 falling back to the next SMTP server or delayed delivery.
746
747 An SMTP client MAY be configured to mandate DANE-verified delivery
748 for some destinations. With mandatory DANE TLS (Section 6), delivery
749 proceeds only when "secure" TLSA records are used to establish an
750 encrypted and authenticated TLS channel with the SMTP server.
751
752 When the original next-hop destination is an address literal rather
753 than a DNS domain, DANE TLS does not apply. Delivery proceeds using
754 any relevant security policy configured by the MTA administrator.
755 Similarly, when an MX RRset incorrectly lists a network address in
756 lieu of an MX hostname, if an MTA chooses to connect to the network
757 address in the nonconformant MX record, DANE TLSA does not apply for
758 such a connection.
759
760 In the subsections that follow, we explain how to locate the SMTP
761 servers and the associated TLSA records for a given next-hop
762 destination domain. We also explain which name or names are to be
763 used in identity checks of the SMTP server certificate.
764
7652.2.1. MX Resolution
766
767 In this section, we consider next-hop domains that are subject to MX
768 resolution and have MX records. The TLSA records and the associated
769 base domain are derived separately for each MX hostname that is used
770 to attempt message delivery. DANE TLS can authenticate message
771 delivery to the intended next-hop domain only when the MX records are
772 obtained securely via a DNSSEC-validated lookup.
773
774 MX records MUST be sorted by preference; an MX hostname with a worse
775 (numerically higher) MX preference that has TLSA records MUST NOT
776 preempt an MX hostname with a better (numerically lower) preference
777 that has no TLSA records. In other words, prevention of delivery
778 loops by obeying MX preferences MUST take precedence over channel
779 security considerations. Even with two equal-preference MX records,
780 an MTA is not obligated to choose the MX hostname that offers more
781
782
783
784
785
786Dukhovni & Hardaker Standards Track [Page 14]
787
788RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
789
790
791 security. Domains that want secure inbound mail delivery need to
792 ensure that all their SMTP servers and MX records are configured
793 accordingly.
794
795 In the language of [RFC5321], Section 5.1, the original next-hop
796 domain is the "initial name". If the MX lookup of the initial name
797 results in a CNAME alias, the MTA replaces the initial name with the
798 resulting name and performs a new lookup with the new name. MTAs
799 typically support recursion in CNAME expansion, so this replacement
800 is performed repeatedly (up to the MTA's recursion limit) until the
801 ultimate non-CNAME domain is found.
802
803 If the MX RRset (or any CNAME leading to it) is "insecure" (see
804 Section 2.1.1) and DANE TLS for the given destination is mandatory
805 (Section 6), delivery MUST be delayed. If the MX RRset is "insecure"
806 and DANE TLS is not mandatory, the SMTP client is free to use
807 pre-DANE opportunistic TLS (possibly even cleartext).
808
809 Since the protocol in this memo is an Opportunistic Security protocol
810 [RFC7435], the SMTP client MAY elect to use DANE TLS (as described in
811 Section 2.2.2 below), even with MX hosts obtained via an "insecure"
812 MX RRset. For example, when a hosting provider has a signed DNS zone
813 and publishes TLSA records for its SMTP servers, hosted domains that
814 are not signed may still benefit from the provider's TLSA records.
815 Deliveries via the provider's SMTP servers will not be subject to
816 active attacks when sending SMTP clients elect to use the provider's
817 TLSA records (active attacks that tamper with the "insecure" MX RRset
818 are of course still possible in this case).
819
820 When the MX records are not (DNSSEC) signed, an active attacker can
821 redirect SMTP clients to MX hosts of his choice. Such redirection is
822 tamper-evident when SMTP servers found via "insecure" MX records are
823 recorded as the next-hop relay in the MTA delivery logs in their
824 original (rather than CNAME-expanded) form. Sending MTAs SHOULD log
825 unexpanded MX hostnames when these result from "insecure" MX lookups.
826 Any successful authentication via an insecurely determined MX host
827 MUST NOT be misrepresented in the mail logs as secure delivery to the
828 intended next-hop domain.
829
830 In the absence of DNS lookup errors (Section 2.1.1), if the MX RRset
831 is not "insecure", then it is "secure", and the SMTP client MUST
832 treat each MX hostname as described in Section 2.2.2. When, for a
833 given MX hostname, no TLSA records are found or only "insecure" TLSA
834 records are found, DANE TLSA is not applicable with the SMTP server
835 in question, and delivery proceeds to that host as with pre-DANE
836 opportunistic TLS. To avoid downgrade attacks, any errors during
837 TLSA lookups MUST, as explained in Section 2.1.2, cause the SMTP
838 server in question to be treated as unreachable.
839
840
841
842Dukhovni & Hardaker Standards Track [Page 15]
843
844RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
845
846
8472.2.2. Non-MX Destinations
848
849 This section describes the algorithm used to locate the TLSA records
850 and associated TLSA base domain for an input domain that is not
851 subject to MX resolution, that represents a hostname from a "secure"
852 MX RRset, or that lacks MX records. Such domains include:
853
854 o Any host that is configured by the sending MTA administrator as
855 the next-hop relay for some or all domains and that is not subject
856 to MX resolution.
857
858 o A domain that has MX records. When a domain has MX records, we
859 treat each MX host listed in those MX records as though it were a
860 non-MX destination -- that is, in the same way as we would treat
861 an administrator-configured relay that handles mail for that
862 domain. (Unlike administrator-specified relays, MTAs are not
863 required to support CNAME expansion of next-hop names found via MX
864 lookups.)
865
866 o A next-hop destination domain subject to MX resolution that has no
867 MX records. In this case, the domain's name is implicitly also
868 its sole SMTP server name.
869
870 Note that DNS queries with type TLSA are mishandled by load-balancing
871 nameservers that serve the MX hostnames of some large email
872 providers. The DNS zones served by these nameservers are not signed
873 and contain no TLSA records. These nameservers SHOULD provide
874 "insecure" negative replies that indicate the nonexistence of the
875 TLSA records, but instead they fail by not responding at all or by
876 responding with a DNS RCODE [RFC1035] other than NXDOMAIN, e.g.,
877 SERVFAIL or NOTIMP [RFC2136].
878
879 To avoid problems delivering mail to domains whose SMTP servers are ../queue/direct.go:404
880 served by these problematic nameservers, the SMTP client MUST perform
881 any A and/or AAAA queries for the destination before attempting to
882 locate the associated TLSA records. This lookup is needed in any
883 case to determine (1) whether or not the destination domain is
884 reachable and (2) the DNSSEC validation status of the chain of CNAME
885 queries required to reach the ultimate address records.
886
887 If no address records are found, the destination is unreachable. If
888 address records are found but the DNSSEC validation status of the
889 first query response is "insecure" (see Section 2.1.3), the SMTP
890 client SHOULD NOT proceed to search for any associated TLSA records.
891 In the case of these problematic domains, TLSA queries would lead to
892 DNS lookup errors and would cause messages to be consistently delayed
893 and ultimately returned to the sender. We don't expect to find any
894
895
896
897
898Dukhovni & Hardaker Standards Track [Page 16]
899
900RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
901
902
903 "secure" TLSA records associated with a TLSA base domain that lies in
904 an unsigned DNS zone. Therefore, skipping TLSA lookups in this case
905 will also reduce latency, with no detrimental impact on security.
906
907 If the A and/or AAAA lookup of the initial name yields a CNAME, we
908 replace it with the resulting name as if it were the initial name and
909 perform a lookup again using the new name. This replacement is
910 performed recursively (up to the MTA's recursion limit).
911
912 We consider the following cases for handling a DNS response for an ../queue/direct.go:450 ../smtpclient/gather.go:280
913 A or AAAA DNS lookup:
914
915 Not found: When the DNS queries for A and/or AAAA records yield
916 neither a list of addresses nor a CNAME (or CNAME expansion is not
917 supported), the destination is unreachable.
918
919 Non-CNAME: The answer is not a CNAME alias. If the address RRset is
920 "secure", TLSA lookups are performed as described in Section 2.2.3
921 with the initial name as the candidate TLSA base domain. If no
922 "secure" TLSA records are found, DANE TLS is not applicable and
923 mail delivery proceeds with pre-DANE opportunistic TLS (which,
924 being best-effort, degrades to cleartext delivery when STARTTLS is
925 not available or the TLS handshake fails).
926
927 Insecure CNAME: The input domain is a CNAME alias, but the ultimate
928 network address RRset is "insecure" (see Section 2.1.1). If the
929 initial CNAME response is also "insecure", DANE TLS does not
930 apply. Otherwise, this case is treated just like the non-CNAME
931 case above, where a search is performed for a TLSA record with the
932 original input domain as the candidate TLSA base domain.
933
934 Secure CNAME: The input domain is a CNAME alias, and the ultimate ../smtpclient/gather.go:289
935 network address RRset is "secure" (see Section 2.1.1). Two
936 candidate TLSA base domains are tried: the fully CNAME-expanded
937 initial name and, failing that, the initial name itself.
938
939 In summary, if it is possible to securely obtain the full,
940 CNAME-expanded, DNSSEC-validated address records for the input
941 domain, then that name is the preferred TLSA base domain. Otherwise,
942 the unexpanded input domain is the candidate TLSA base domain. When
943 no "secure" TLSA records are found at either the CNAME-expanded or
944 unexpanded domain, then DANE TLS does not apply for mail delivery via
945 the input domain in question. And, as always, errors, "bogus"
946 results, or "indeterminate" results for any query in the process MUST
947 result in delaying or abandoning delivery.
948
949
950
951
952
953
954Dukhovni & Hardaker Standards Track [Page 17]
955
956RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
957
958
9592.2.3. TLSA Record Lookup
960
961 When the SMTP server's hostname is not a CNAME or DNAME alias, the
962 list of associated candidate TLSA base domains (see below) consists
963 of just the server hostname.
964
965 When the hostname is an alias with a "secure" (at every stage) full
966 expansion, the list of candidate TLSA base domains (see below) is a
967 pair of domains: the fully expanded server hostname first, and the
968 unexpanded server hostname second.
969
970 Each candidate TLSA base domain (alias-expanded or original) is in
971 turn prefixed with service labels of the form "_<port>._tcp". The
972 resulting domain name is used to issue a DNSSEC query with the query
973 type set to TLSA ([RFC6698], Section 7.1).
974
975 The first of these candidate domains to yield a "secure" TLSA RRset
976 becomes the actual TLSA base domain.
977
978 For SMTP, the destination TCP port is typically 25, but this may be
979 different with custom routes specified by the MTA administrator, in
980 which case the SMTP client MUST use the appropriate number in the
981 "_<port>" prefix in place of "_25". If, for example, the candidate
982 base domain is "mx.example.com" and the SMTP connection is to port
983 25, the TLSA RRset is obtained via a DNSSEC query of the form:
984
985 _25._tcp.mx.example.com. IN TLSA ?
986
987 The query response may be a CNAME or the actual TLSA RRset. If the
988 response is a CNAME, the SMTP client (through the use of its
989 security-aware stub resolver) restarts the TLSA query at the target
990 domain, following CNAMEs as appropriate, and keeps track of whether
991 or not the entire chain is "secure". If any "insecure" records are
992 encountered or the TLSA records don't exist, the next candidate TLSA
993 base domain is tried instead.
994
995 If the ultimate response is a "secure" TLSA RRset, then the candidate
996 TLSA base domain will be the actual TLSA base domain, and the TLSA
997 RRset will constitute the TLSA records for the destination. If none
998 of the candidate TLSA base domains yield "secure" TLSA records, then
999 the SMTP client is free to use pre-DANE opportunistic TLS (possibly
1000 even cleartext).
1001
1002 TLSA record publishers may leverage CNAMEs to reference a single
1003 authoritative TLSA RRset specifying a common CA or a common
1004 end-entity certificate to be used with multiple TLS services. Such
1005 CNAME expansion does not change the SMTP client's notion of the TLSA
1006 base domain; thus, when _25._tcp.mx.example.com is a CNAME, the base
1007
1008
1009
1010Dukhovni & Hardaker Standards Track [Page 18]
1011
1012RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1013
1014
1015 domain remains mx.example.com, and this is still the reference
1016 identifier used together with the next-hop domain in peer certificate
1017 name checks.
1018
1019 Note that shared end-entity certificate associations expose the
1020 publishing domain to substitution attacks, where an MITM attacker can
1021 reroute traffic to a different server that shares the same end-entity
1022 certificate. Such shared end-entity TLSA records SHOULD be avoided
1023 unless the servers in question are functionally equivalent or employ
1024 mutually incompatible protocols (an active attacker gains nothing by
1025 diverting client traffic from one such server to another).
1026
1027 A better example, employing a shared trust anchor rather than shared
1028 end-entity certificates, is illustrated by the DNSSEC-validated
1029 records below:
1030
1031 example.com. IN MX 0 mx1.example.com.
1032 example.com. IN MX 0 mx2.example.com.
1033 _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com.
1034 _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com.
1035 tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c149a...
1036
1037 The SMTP servers mx1.example.com and mx2.example.com will be expected
1038 to have certificates issued under a common trust anchor, but each MX
1039 hostname's TLSA base domain remains unchanged despite the above CNAME
1040 records. Correspondingly, each SMTP server will be associated with a
1041 pair of reference identifiers consisting of its hostname plus the
1042 next-hop domain "example.com".
1043
1044 If, during TLSA resolution (including possible CNAME indirection), at
1045 least one "secure" TLSA record is found (even if not usable because
1046 it is unsupported by the implementation or support is
1047 administratively disabled), then the corresponding host has signaled
1048 its commitment to implement TLS. The SMTP client MUST NOT deliver
1049 mail via the corresponding host unless a TLS session is negotiated
1050 via STARTTLS. This is required to avoid MITM STARTTLS downgrade
1051 attacks.
1052
1053 As noted previously (in Section 2.2.2), when no "secure" TLSA records
1054 are found at the fully CNAME-expanded name, the original unexpanded
1055 name MUST be tried instead. This supports customers of hosting
1056 providers where the provider's zone cannot be validated with DNSSEC
1057 but the customer has shared appropriate key material with the hosting
1058 provider to enable TLS via SNI. Intermediate names that arise during
1059 CNAME expansion that are neither the original name nor the final name
1060 are never candidate TLSA base domains, even if "secure".
1061
1062
1063
1064
1065
1066Dukhovni & Hardaker Standards Track [Page 19]
1067
1068RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1069
1070
10713. DANE Authentication
1072
1073 This section describes which TLSA records are applicable to SMTP
1074 opportunistic DANE TLS and how to apply such records to authenticate
1075 the SMTP server. With opportunistic DANE TLS, both the TLS support
1076 implied by the presence of DANE TLSA records and the verification
1077 parameters necessary to authenticate the TLS peer are obtained
1078 together. In contrast to protocols where channel security policy is
1079 set exclusively by the client, authentication via this protocol is
1080 expected to be less prone to connection failure caused by
1081 incompatible configuration of the client and server.
1082
10833.1. TLSA Certificate Usages
1084
1085 The DANE TLSA specification [RFC6698] defines multiple TLSA RR types
1086 via combinations of three numeric parameters. The numeric values of
1087 these parameters were later given symbolic names in [RFC7218]. The
1088 rest of the TLSA record is the "certificate association data field",
1089 which specifies the full or digest value of a certificate or
1090 public key.
1091
1092 Since opportunistic DANE TLS will be used by non-interactive MTAs,
1093 with no user to "click OK" when authentication fails, reliability of
1094 peer authentication is paramount. Server operators are advised to
1095 publish TLSA records that are least likely to fail authentication due
1096 to interoperability or operational problems. Because DANE TLS relies
1097 on coordinated changes to DNS and SMTP server settings, the best
1098 choice of records to publish will depend on site-specific practices.
1099
1100 The certificate usage element of a TLSA record plays a critical role
1101 in determining how the corresponding certificate association data
1102 field is used to authenticate a server's certificate chain.
1103 Sections 3.1.1 and 3.1.2 explain the process for certificate usages
1104 DANE-EE(3) and DANE-TA(2), respectively. Section 3.1.3 briefly
1105 explains why certificate usages PKIX-TA(0) and PKIX-EE(1) are not
1106 applicable with opportunistic DANE TLS.
1107
1108 In summary, we RECOMMEND the use of "DANE-EE(3) SPKI(1) SHA2-256(1)",
1109 with "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records as a second
1110 choice, depending on site needs. See Sections 3.1.1 and 3.1.2 for
1111 more details. Other combinations of TLSA parameters either (1) are
1112 explicitly unsupported or (2) offer little to recommend them over
1113 these two.
1114
1115
1116
1117
1118
1119
1120
1121
1122Dukhovni & Hardaker Standards Track [Page 20]
1123
1124RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1125
1126
11273.1.1. Certificate Usage DANE-EE(3)
1128
1129 Authentication via certificate usage DANE-EE(3) TLSA records involves
1130 simply checking that the server's leaf certificate matches the TLSA
1131 record. In particular, the binding of the server public key to its
1132 name is based entirely on the TLSA record association. The server
1133 MUST be considered authenticated even if none of the names in the
1134 certificate match the client's reference identity for the server.
1135
1136 The expiration date of the server certificate MUST be ignored: the
1137 validity period of the TLSA record key binding is determined by the
1138 validity interval of the TLSA record DNSSEC signature.
1139
1140 With DANE-EE(3), servers need not employ SNI (they may ignore the
1141 client's SNI message) even when the server is known under independent
1142 names that would otherwise require separate certificates. It is
1143 instead sufficient for the TLSA RRsets for all the domains in
1144 question to match the server's default certificate. Of course, with
1145 SMTP servers it is simpler still to publish the same MX hostname for
1146 all the hosted domains.
1147
1148 For domains where it is practical to make coordinated changes in DNS
1149 TLSA records during SMTP server key rotation, it is often best to
1150 publish end-entity DANE-EE(3) certificate associations. DANE-EE(3)
1151 certificates don't suddenly stop working when leaf or intermediate
1152 certificates expire, nor do they fail when the server operator
1153 neglects to configure all the required issuer certificates in the
1154 server certificate chain.
1155
1156 TLSA records published for SMTP servers SHOULD, in most cases, be
1157 "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE
1158 implementations are required to support SHA2-256, this record type
1159 works for all clients and need not change across certificate renewals
1160 with the same key.
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178Dukhovni & Hardaker Standards Track [Page 21]
1179
1180RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1181
1182
11833.1.2. Certificate Usage DANE-TA(2)
1184
1185 Some domains may prefer to avoid the operational complexity of
1186 publishing unique TLSA RRs for each TLS service. If the domain
1187 employs a common issuing CA to create certificates for multiple TLS
1188 services, it may be simpler to publish the issuing authority as a
1189 trust anchor (TA) for the certificate chains of all relevant
1190 services. The TLSA query domain (TLSA base domain with port and
1191 protocol prefix labels) for each service issued by the same TA may
1192 then be set to a CNAME alias that points to a common TLSA RRset that
1193 matches the TA. For example:
1194
1195 example.com. IN MX 0 mx1.example.com.
1196 example.com. IN MX 0 mx2.example.com.
1197 _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com.
1198 _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com.
1199 tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14....
1200
1201 With usage DANE-TA(2), the server certificates will need to have
1202 names that match one of the client's reference identifiers (see
1203 [RFC6125]). The server MAY employ SNI to select the appropriate
1204 certificate to present to the client.
1205
1206 SMTP servers that rely on certificate usage DANE-TA(2) TLSA records
1207 for TLS authentication MUST include the TA certificate as part of the
1208 certificate chain presented in the TLS handshake server certificate
1209 message even when it is a self-signed root certificate. Many SMTP
1210 servers are not configured with a comprehensive list of trust
1211 anchors, nor are they expected to be at any point in the future.
1212 Some MTAs will ignore all locally trusted certificates when
1213 processing usage DANE-TA(2) TLSA records. Thus, even when the TA
1214 happens to be a public CA known to the SMTP client, authentication is
1215 likely to fail unless the TA certificate is included in the TLS
1216 server certificate message.
1217
1218 With some SMTP server software, it is not possible to configure the
1219 server to include self-signed (root) CA certificates in the server
1220 certificate chain. Such servers either MUST publish DANE-TA(2)
1221 records for an intermediate certificate or MUST instead use
1222 DANE-EE(3) TLSA records.
1223
1224 TLSA records with a matching type of Full(0) are discouraged. While
1225 these potentially obviate the need to transmit the TA certificate in
1226 the TLS server certificate message, client implementations may not be
1227 able to augment the server certificate chain with the data obtained
1228 from DNS, especially when the TLSA record supplies a bare key
1229 (selector SPKI(1)). Since the server will need to transmit the TA
1230 certificate in any case, server operators SHOULD publish TLSA records
1231
1232
1233
1234Dukhovni & Hardaker Standards Track [Page 22]
1235
1236RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1237
1238
1239 with a matching type other than Full(0) and avoid potential
1240 interoperability issues with large TLSA records containing full
1241 certificates or keys.
1242
1243 TLSA Publishers employing DANE-TA(2) records SHOULD publish records
1244 with a selector of Cert(0). Such TLSA records are associated with
1245 the whole trust anchor certificate, not just with the trust anchor
1246 public key. In particular, the SMTP client SHOULD then apply any
1247 relevant constraints from the trust anchor certificate, such as, for
1248 example, path length constraints.
1249
1250 While a selector of SPKI(1) may also be employed, the resulting TLSA
1251 record will not specify the full trust anchor certificate content,
1252 and elements of the trust anchor certificate other than the public
1253 key become mutable. This may, for example, allow a subsidiary CA to
1254 issue a chain that violates the trust anchor's path length or name
1255 constraints.
1256
12573.1.3. Certificate Usages PKIX-TA(0) and PKIX-EE(1)
1258
1259 Note that this section applies to MTA-to-MTA SMTP, which is normally
1260 on port 25 -- that is, to servers that are the SMTP servers for one
1261 or more destination domains. Other uses of SMTP, such as in ../queue/submit.go:71
1262 MUA-to-MSA submission on ports 587 or 465, are out of scope for this
1263 document. Where those other uses also employ TLS opportunistically
1264 and/or depend on DNSSEC as a result of DNS-based discovery of service
1265 location, the relevant specifications should, as appropriate, arrive
1266 at similar conclusions.
1267
1268 As noted in Sections 1.3.1 and 1.3.2, sending MTAs cannot, without
1269 relying on DNSSEC for "secure" MX records and DANE for STARTTLS
1270 support signaling, perform server identity verification or prevent
1271 STARTTLS downgrade attacks. The use of PKIX CAs offers no added
1272 security, since an attacker capable of compromising DNSSEC is free to
1273 replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with records
1274 bearing any convenient non-PKIX certificate usage. Finally, as
1275 explained in Section 1.3.4, there is no list of trusted CAs agreed
1276 upon by all MTAs and no user to "click OK" when a server's CA is not
1277 trusted by a client.
1278
1279 Therefore, TLSA records for the port 25 SMTP service used by client
1280 MTAs SHOULD NOT include TLSA RRs with certificate usage PKIX-TA(0) or
1281 PKIX-EE(1). SMTP client MTAs cannot be expected to be configured
1282 with a suitably complete set of trusted public CAs. Lacking a
1283 complete set of public CAs, MTA clients would not be able to verify
1284 the certificates of SMTP servers whose issuing root CAs are not
1285 trusted by the client.
1286
1287
1288
1289
1290Dukhovni & Hardaker Standards Track [Page 23]
1291
1292RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1293
1294
1295 Opportunistic DANE TLS needs to interoperate without bilateral
1296 coordination of security settings between client and server systems.
1297 Therefore, parameter choices that are fragile in the absence of
1298 bilateral coordination are unsupported. Nothing is lost; since the
1299 PKIX certificate usages cannot aid SMTP TLS security, they can only
1300 impede SMTP TLS interoperability.
1301
1302 SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0)
1303 or PKIX-EE(1) is undefined. As with any other unsupported
1304 certificate usage, SMTP clients MAY treat such records as "unusable". ../smtpclient/gather.go:362
1305
13063.2. Certificate Matching
1307
1308 When at least one usable "secure" TLSA record is found, the SMTP
1309 client MUST use TLSA records to authenticate the SMTP server.
1310 Messages MUST NOT be delivered via the SMTP server if authentication
1311 fails; otherwise, the SMTP client is vulnerable to MITM attacks.
1312
13133.2.1. DANE-EE(3) Name Checks
1314
1315 The SMTP client MUST NOT perform certificate name checks with
1316 certificate usage DANE-EE(3) (Section 3.1.1).
1317
13183.2.2. DANE-TA(2) Name Checks ../smtpclient/gather.go:410
1319
1320 To match a server via a TLSA record with certificate usage
1321 DANE-TA(2), the client MUST perform name checks to ensure that it has
1322 reached the correct server. In all DANE-TA(2) cases, the SMTP client
1323 MUST employ the TLSA base domain as the primary reference identifier
1324 for matching the server certificate.
1325
1326 TLSA records for MX hostnames: If the TLSA base domain was obtained ../smtpclient/gather.go:418
1327 indirectly via a "secure" MX lookup (including any CNAME-expanded
1328 name of an MX hostname), then the original next-hop domain used in
1329 the MX lookup MUST be included as a second reference identifier.
1330 The CNAME-expanded original next-hop domain MUST be included as a
1331 third reference identifier if different from the original next-hop
1332 domain. When the client MTA is employing DANE TLS security ../smtpclient/gather.go:433
1333 despite "insecure" MX redirection, the MX hostname is the only
1334 reference identifier.
1335
1336 TLSA records for non-MX hostnames: If MX records were not used ../smtpclient/gather.go:412
1337 (e.g., if none exist) and the TLSA base domain is the
1338 CNAME-expanded original next-hop domain, then the original
1339 next-hop domain MUST be included as a second reference identifier.
1340
1341
1342
1343
1344
1345
1346Dukhovni & Hardaker Standards Track [Page 24]
1347
1348RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1349
1350
1351 Accepting certificates with the original next-hop domain in addition
1352 to the MX hostname allows a domain with multiple MX hostnames to
1353 field a single certificate bearing a single domain name (i.e., the
1354 email domain) across all the SMTP servers. This also aids
1355 interoperability with pre-DANE SMTP clients that are configured to
1356 look for the email domain name in server certificates -- for example,
1357 with "secure" DNS records as shown below:
1358
1359 exchange.example.org. IN CNAME mail.example.org.
1360 mail.example.org. IN CNAME example.com.
1361 example.com. IN MX 10 mx10.example.com.
1362 example.com. IN MX 15 mx15.example.com.
1363 example.com. IN MX 20 mx20.example.com.
1364 ;
1365 mx10.example.com. IN A 192.0.2.10
1366 _25._tcp.mx10.example.com. IN TLSA 2 0 1 ...
1367 ;
1368 mx15.example.com. IN CNAME mxbackup.example.com.
1369 mxbackup.example.com. IN A 192.0.2.15
1370 ; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN)
1371 _25._tcp.mx15.example.com. IN TLSA 2 0 1 ...
1372 ;
1373 mx20.example.com. IN CNAME mxbackup.example.net.
1374 mxbackup.example.net. IN A 198.51.100.20
1375 _25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ...
1376
1377 Certificate name checks for delivery of mail to exchange.example.org
1378 via any of the associated SMTP servers MUST accept at least the names
1379 "exchange.example.org" and "example.com", which are, respectively,
1380 the original and fully expanded next-hop domain. When the SMTP
1381 server is mx10.example.com, name checks MUST accept the TLSA base
1382 domain "mx10.example.com". If, despite the fact that MX hostnames 5321:3861 2181:661 7671:1030 ../smtpclient/gather.go:188
1383 are required to not be aliases, the MTA supports delivery via
1384 "mx15.example.com" or "mx20.example.com", then name checks MUST
1385 accept the respective TLSA base domains "mx15.example.com" and
1386 "mxbackup.example.net".
1387
13883.2.3. Reference Identifier Matching
1389
1390 When name checks are applicable (certificate usage DANE-TA(2)), if
1391 the server certificate contains a Subject Alternative Name extension
1392 [RFC5280] with at least one DNS-ID [RFC6125], then only the DNS-IDs
1393 are matched against the client's reference identifiers. The CN-ID
1394 [RFC6125] is only considered when no DNS-IDs are present. The server
1395 certificate is considered matched when one of its presented
1396 identifiers [RFC5280] matches any of the client's reference
1397 identifiers.
1398
1399
1400
1401
1402Dukhovni & Hardaker Standards Track [Page 25]
1403
1404RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1405
1406
1407 Wildcards are valid in either DNS-IDs or the CN-ID when applicable.
1408 The wildcard character must be the entire first label of the DNS-ID
1409 or CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com"
1410 and "*smtp.example.com" are not. SMTP clients MUST support wildcards
1411 that match the first label of the reference identifier, with the
1412 remaining labels matching verbatim. For example, the DNS-ID
1413 "*.example.com" matches the reference identifier "mx1.example.com".
1414 SMTP clients MAY, subject to local policy, allow wildcards to match
1415 multiple reference identifier labels, but servers cannot expect broad
1416 support for such a policy. Therefore, any wildcards in server
1417 certificates SHOULD match exactly one label in either the TLSA base
1418 domain or the next-hop domain.
1419
14204. Server Key Management
1421
1422 Two TLSA records MUST be published before employing a new EE or TA
1423 public key or certificate: one matching the currently deployed key
1424 and the other matching the new key scheduled to replace it. Once
1425 sufficient time has elapsed for all DNS caches to expire the previous
1426 TLSA RRset and related signature RRsets, servers may be configured to
1427 use the new EE private key and associated public key certificate or
1428 may employ certificates signed by the new trust anchor.
1429
1430 Once the new public key or certificate is in use, the TLSA RR that
1431 matches the retired key can be removed from DNS, leaving only RRs
1432 that match keys or certificates in active use.
1433
1434 As described in Section 3.1.2, when server certificates are validated
1435 via a DANE-TA(2) trust anchor and CNAME records are employed to store
1436 the TA association data at a single location, the responsibility of
1437 updating the TLSA RRset shifts to the operator of the trust anchor.
1438 Before a new trust anchor is used to sign any new server
1439 certificates, its certificate (digest) is added to the relevant TLSA
1440 RRset. After enough time elapses for the original TLSA RRset to age
1441 out of DNS caches, the new trust anchor can start issuing new server
1442 certificates. Once all certificates issued under the previous trust
1443 anchor have expired, its associated RRs can be removed from the TLSA
1444 RRset.
1445
1446 In the DANE-TA(2) key management model, server operators do not
1447 generally need to update DNS TLSA records after initially creating a
1448 CNAME record that references the centrally operated DANE-TA(2) RRset.
1449 If a particular server's key is compromised, its TLSA CNAME SHOULD be
1450 replaced with a DANE-EE(3) association until the certificate for the
1451 compromised key expires, at which point it can return to using a
1452 CNAME record. If the central trust anchor is compromised, all
1453
1454
1455
1456
1457
1458Dukhovni & Hardaker Standards Track [Page 26]
1459
1460RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1461
1462
1463 servers need to be issued new keys by a new TA, and an updated
1464 DANE-TA(2) TLSA RRset needs to be published containing just the
1465 new TA.
1466
1467 SMTP servers cannot expect broad Certificate Revocation List (CRL) or
1468 Online Certificate Status Protocol (OCSP) support from SMTP clients.
1469 As outlined above, with DANE, compromised server or trust anchor keys
1470 can be "revoked" by removing them from the DNS without the need for
1471 client-side support for OCSP or CRLs.
1472
14735. Digest Algorithm Agility
1474
1475 While [RFC6698] specifies multiple digest algorithms, it does not
1476 specify a protocol by which the SMTP client and TLSA record publisher
1477 can agree on the strongest shared algorithm. Such a protocol would
1478 allow the client and server to avoid exposure to deprecated weaker
1479 algorithms that are published for compatibility with less capable
1480 clients. When stronger algorithms are an option, deprecated
1481 algorithms SHOULD be avoided. Such a protocol is specified in
1482 [RFC7671]. SMTP clients and servers that implement this
1483 specification MUST comply with the requirements outlined in Section 9
1484 of [RFC7671].
1485
14866. Mandatory TLS Security
1487
1488 An MTA implementing this protocol may require a stronger security
1489 assurance when sending email to selected destinations. The sending
1490 organization may need to send sensitive email and/or may have
1491 regulatory obligations to protect its content. This protocol is not
1492 in conflict with such a requirement and, in fact, can often simplify
1493 authenticated delivery to such destinations.
1494
1495 Specifically, with domains that publish DANE TLSA records for their
1496 MX hostnames, a sending MTA can be configured to use the receiving
1497 domain's DANE TLSA records to authenticate the corresponding SMTP
1498 server. Authentication via DANE TLSA records is easier to manage, as
1499 changes in the receiver's expected certificate properties are made on
1500 the receiver end and don't require manually communicated
1501 configuration changes. With mandatory DANE TLS, when no usable TLSA
1502 records are found, message delivery is delayed. Thus, mail is only
1503 sent when an authenticated TLS channel is established to the remote
1504 SMTP server.
1505
1506 Administrators of mail servers that employ mandatory DANE TLS need to
1507 carefully monitor their mail logs and queues. If a partner domain
1508 unwittingly misconfigures its TLSA records, disables DNSSEC, or
1509 misconfigures SMTP server certificate chains, mail will be delayed
1510 and may bounce if the issue is not resolved in a timely manner.
1511
1512
1513
1514Dukhovni & Hardaker Standards Track [Page 27]
1515
1516RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1517
1518
15197. Note on DANE for Message User Agents
1520
1521 We note that SMTP is also used between Message User Agents (MUAs) and
1522 Message Submission Agents (MSAs) [RFC6409]. In [RFC6186], a protocol
1523 is specified that enables an MUA to dynamically locate the MSA based
1524 on the user's email address. SMTP connection security considerations
1525 for MUAs implementing [RFC6186] are largely analogous to connection
1526 security requirements for MTAs, and this specification could be
1527 applied largely verbatim with DNS MX records replaced by
1528 corresponding DNS Service (SRV) records [RFC7673].
1529
1530 However, until MUAs begin to adopt the dynamic configuration
1531 mechanisms of [RFC6186], they are adequately served by more
1532 traditional static TLS security policies. Specification of DANE TLS
1533 for MUA-to-MSA SMTP is left to future documents that focus
1534 specifically on SMTP security between MUAs and MSAs.
1535
15368. Interoperability Considerations
1537
15388.1. SNI Support
1539
1540 To ensure that the server sends the right certificate chain, the SMTP
1541 client MUST send the TLS SNI extension containing the TLSA base
1542 domain. This precludes the use of the Secure Socket Layer (SSL)
1543 HELLO that is SSL 2.0 compatible by the SMTP client.
1544
1545 Each SMTP server MUST present a certificate chain (see [RFC5246],
1546 Section 7.4.2) that matches at least one of the TLSA records. The
1547 server MAY rely on SNI to determine which certificate chain to
1548 present to the client. Clients that don't send SNI information may
1549 not see the expected certificate chain.
1550
1551 If the server's TLSA records match the server's default certificate
1552 chain, the server need not support SNI. In either case, the server
1553 need not include the SNI extension in its TLS HELLO, as simply
1554 returning a matching certificate chain is sufficient. Servers
1555 MUST NOT enforce the use of SNI by clients, as the client may be
1556 using unauthenticated opportunistic TLS and may not expect any
1557 particular certificate from the server. If the client sends no SNI
1558 extension or sends an SNI extension for an unsupported domain, the
1559 server MUST simply send some fallback certificate chain of its
1560 choice. The reason for not enforcing strict matching of the
1561 requested SNI hostname is that DANE TLS clients are typically willing
1562 to accept multiple server names but can only send one name in the SNI
1563 extension. The server's fallback certificate may match a different
1564 name acceptable to the client, e.g., the original next-hop domain.
1565
1566
1567
1568
1569
1570Dukhovni & Hardaker Standards Track [Page 28]
1571
1572RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1573
1574
15758.2. Anonymous TLS Cipher Suites
1576
1577 Since many SMTP servers either do not support or do not enable any
1578 anonymous TLS cipher suites, SMTP client TLS HELLO messages SHOULD
1579 offer to negotiate a typical set of non-anonymous cipher suites
1580 required for interoperability with such servers. An SMTP client
1581 employing pre-DANE opportunistic TLS MAY also include one or more
1582 anonymous TLS cipher suites in its TLS HELLO. SMTP servers that need
1583 to interoperate with opportunistic TLS clients SHOULD be prepared to
1584 interoperate with such clients by either always selecting a mutually
1585 supported non-anonymous cipher suite or correctly handling client
1586 connections that negotiate anonymous cipher suites.
1587
1588 Note that while SMTP server operators are under no obligation to
1589 enable anonymous cipher suites, no security is gained by sending
1590 certificates to clients that will ignore them. Indeed, support for
1591 anonymous cipher suites in the server makes audit trails more
1592 informative. Log entries that record connections that employed an
1593 anonymous cipher suite record the fact that the clients did not care
1594 to authenticate the server.
1595
15969. Operational Considerations
1597
15989.1. Client Operational Considerations
1599
1600 An operational error on the sending or receiving side that cannot be
1601 corrected in a timely manner may, at times, lead to consistent
1602 failure to deliver time-sensitive email. The sending MTA
1603 administrator may have to choose between allowing email to queue
1604 until the error is resolved and disabling opportunistic or mandatory
1605 DANE TLS (Section 6) for one or more destinations. The choice to
1606 disable DANE TLS security should not be made lightly. Every
1607 reasonable effort should be made to determine that problems with mail
1608 delivery are the result of an operational error and not an attack. A
1609 fallback strategy may be to configure explicit out-of-band TLS
1610 security settings if supported by the sending MTA.
1611
1612 SMTP clients may deploy opportunistic DANE TLS incrementally by
1613 enabling it only for selected sites or may occasionally need to
1614 disable opportunistic DANE TLS for peers that fail to interoperate
1615 due to misconfiguration or software defects on either end. Some
1616 implementations MAY support DANE TLS in an "audit only" mode in which
1617 failure to achieve the requisite security level is logged as a
1618 warning and delivery proceeds at a reduced security level. Unless
1619 local policy specifies "audit only" or specifies that opportunistic
1620 DANE TLS is not to be used for a particular destination, an SMTP
1621
1622
1623
1624
1625
1626Dukhovni & Hardaker Standards Track [Page 29]
1627
1628RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1629
1630
1631 client MUST NOT deliver mail via a server whose certificate chain
1632 fails to match at least one TLSA record when usable TLSA records are
1633 found for that server.
1634
16359.2. Publisher Operational Considerations
1636
1637 Some MTAs enable STARTTLS selectively. For example, they might only
1638 support STARTTLS with clients that have previously demonstrated
1639 "proper MTA behavior", e.g., by retrying the delivery of deferred
1640 messages (greylisting). If such an MTA publishes DANE TLSA records,
1641 sending MTAs that implement this specification will not attempt the
1642 initial cleartext SMTP transaction needed to establish the "proper
1643 MTA behavior", because they cannot establish the required channel
1644 security. Server operators MUST NOT implement selective STARTTLS if
1645 they also want to support DANE TLSA.
1646
1647 TLSA Publishers MUST follow the guidelines in Section 8 of [RFC7671].
1648
1649 TLSA Publishers SHOULD follow the TLSA publication size guidance
1650 found in Section 10.1 of [RFC7671].
1651
1652 TLSA Publishers SHOULD follow the TLSA record TTL and signature
1653 lifetime recommendations found in Section 13 of [RFC7671].
1654
165510. Security Considerations
1656
1657 This protocol leverages DANE TLSA records to implement MITM-resistant
1658 Opportunistic Security [RFC7435] for SMTP. For destination domains
1659 that sign their MX records and publish signed TLSA records for their
1660 MX hostnames, this protocol allows sending MTAs to securely discover
1661 both the availability of TLS and how to authenticate the destination.
1662
1663 This protocol does not aim to secure all SMTP traffic, as that is not
1664 practical until DNSSEC and DANE adoption are universal. The
1665 incremental deployment provided by following this specification is a
1666 best possible path for securing SMTP. This protocol coexists and
1667 interoperates with the existing insecure Internet email backbone.
1668
1669 The protocol does not preclude existing non-opportunistic SMTP TLS
1670 security arrangements, which can continue to be used as before via
1671 manual configuration with negotiated out-of-band key and TLS
1672 configuration exchanges.
1673
1674 Opportunistic SMTP TLS depends critically on DNSSEC for downgrade
1675 resistance and secure resolution of the destination name. If DNSSEC
1676 is compromised, it is not possible to fall back on the public CA PKI
1677 to prevent MITM attacks. A successful breach of DNSSEC enables the
1678 attacker to publish TLSA usage 3 certificate associations and thereby
1679
1680
1681
1682Dukhovni & Hardaker Standards Track [Page 30]
1683
1684RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1685
1686
1687 bypass any security benefit the legitimate domain owner might hope to
1688 gain by publishing usage 0 or usage 1 TLSA RRs. Given the lack of
1689 public CA PKI support in existing MTA deployments, avoiding
1690 certificate usages 0 and 1 simplifies implementation and deployment
1691 with no adverse security consequences.
1692
1693 Implementations must strictly follow Sections 2.1.2, 2.1.3, 2.2,
1694 2.2.1, 2.2.2, 2.2.3, 3.2, and 9.1 of this specification; these
1695 sections indicate when it is appropriate to initiate a
1696 non-authenticated connection or cleartext connection to an SMTP
1697 server. Specifically, in order to prevent downgrade attacks on this
1698 protocol, implementations must not initiate a connection when this
1699 specification indicates that a particular SMTP server must be
1700 considered unreachable.
1701
170211. References
1703
170411.1. Normative References
1705
1706 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
1707 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
1708 <http://www.rfc-editor.org/info/rfc1034>.
1709
1710 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1711 Requirement Levels", BCP 14, RFC 2119,
1712 DOI 10.17487/RFC2119, March 1997,
1713 <http://www.rfc-editor.org/info/rfc2119>.
1714
1715 [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
1716 Transport Layer Security", RFC 3207, DOI 10.17487/RFC3207,
1717 February 2002, <http://www.rfc-editor.org/info/rfc3207>.
1718
1719 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1720 Rose, "DNS Security Introduction and Requirements",
1721 RFC 4033, DOI 10.17487/RFC4033, March 2005,
1722 <http://www.rfc-editor.org/info/rfc4033>.
1723
1724 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1725 Rose, "Resource Records for the DNS Security Extensions",
1726 RFC 4034, DOI 10.17487/RFC4034, March 2005,
1727 <http://www.rfc-editor.org/info/rfc4034>.
1728
1729 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1730 Rose, "Protocol Modifications for the DNS Security
1731 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
1732 <http://www.rfc-editor.org/info/rfc4035>.
1733
1734
1735
1736
1737
1738Dukhovni & Hardaker Standards Track [Page 31]
1739
1740RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1741
1742
1743 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
1744 (TLS) Protocol Version 1.2", RFC 5246,
1745 DOI 10.17487/RFC5246, August 2008,
1746 <http://www.rfc-editor.org/info/rfc5246>.
1747
1748 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1749 Housley, R., and W. Polk, "Internet X.509 Public Key
1750 Infrastructure Certificate and Certificate Revocation List
1751 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
1752 <http://www.rfc-editor.org/info/rfc5280>.
1753
1754 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
1755 DOI 10.17487/RFC5321, October 2008,
1756 <http://www.rfc-editor.org/info/rfc5321>.
1757
1758 [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598,
1759 DOI 10.17487/RFC5598, July 2009,
1760 <http://www.rfc-editor.org/info/rfc5598>.
1761
1762 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
1763 Extensions: Extension Definitions", RFC 6066,
1764 DOI 10.17487/RFC6066, January 2011,
1765 <http://www.rfc-editor.org/info/rfc6066>.
1766
1767 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
1768 Verification of Domain-Based Application Service Identity
1769 within Internet Public Key Infrastructure Using X.509
1770 (PKIX) Certificates in the Context of Transport Layer
1771 Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
1772 March 2011, <http://www.rfc-editor.org/info/rfc6125>.
1773
1774 [RFC6186] Daboo, C., "Use of SRV Records for Locating Email
1775 Submission/Access Services", RFC 6186,
1776 DOI 10.17487/RFC6186, March 2011,
1777 <http://www.rfc-editor.org/info/rfc6186>.
1778
1779 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
1780 DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012,
1781 <http://www.rfc-editor.org/info/rfc6672>.
1782
1783 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
1784 of Named Entities (DANE) Transport Layer Security (TLS)
1785 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698,
1786 August 2012, <http://www.rfc-editor.org/info/rfc6698>.
1787
1788
1789
1790
1791
1792
1793
1794Dukhovni & Hardaker Standards Track [Page 32]
1795
1796RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1797
1798
1799 [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
1800 Conversations about DNS-Based Authentication of Named
1801 Entities (DANE)", RFC 7218, DOI 10.17487/RFC7218,
1802 April 2014, <http://www.rfc-editor.org/info/rfc7218>.
1803
1804 [RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based
1805 Authentication of Named Entities (DANE) Protocol: Updates
1806 and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671,
1807 October 2015, <http://www.rfc-editor.org/info/rfc7671>.
1808
180911.2. Informative References
1810
1811 [RFC1035] Mockapetris, P., "Domain names - implementation and
1812 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
1813 November 1987, <http://www.rfc-editor.org/info/rfc1035>.
1814
1815 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
1816 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
1817 RFC 2136, DOI 10.17487/RFC2136, April 1997,
1818 <http://www.rfc-editor.org/info/rfc2136>.
1819
1820 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
1821 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
1822 <http://www.rfc-editor.org/info/rfc2181>.
1823
1824 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
1825 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
1826 <http://www.rfc-editor.org/info/rfc4949>.
1827
1828 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
1829 STD 72, RFC 6409, DOI 10.17487/RFC6409, November 2011,
1830 <http://www.rfc-editor.org/info/rfc6409>.
1831
1832 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
1833 Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
1834 December 2014, <http://www.rfc-editor.org/info/rfc7435>.
1835
1836 [RFC7673] Finch, T., Miller, M., and P. Saint-Andre, "Using
1837 DNS-Based Authentication of Named Entities (DANE) TLSA
1838 Records with SRV Records", RFC 7673, DOI 10.17487/RFC7673,
1839 October 2015, <http://www.rfc-editor.org/info/rfc7673>.
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850Dukhovni & Hardaker Standards Track [Page 33]
1851
1852RFC 7672 SMTP Security via Opportunistic DANE TLS October 2015
1853
1854
1855Acknowledgements
1856
1857 The authors would like to extend great thanks to Tony Finch, who
1858 started the original version of a DANE SMTP document. His work is
1859 greatly appreciated and has been incorporated into this document.
1860 The authors would like to additionally thank Phil Pennock for his
1861 comments and advice on this document.
1862
1863 Acknowledgements from Viktor: Thanks to Paul Hoffman, who motivated
1864 me to begin work on this memo and provided feedback on early draft
1865 versions of this document. Thanks to Patrick Koetter, Perry Metzger,
1866 and Nico Williams for valuable review comments. Thanks also to
1867 Wietse Venema, who created Postfix, and whose advice and feedback
1868 were essential to the development of the Postfix DANE implementation.
1869
1870Authors' Addresses
1871
1872 Viktor Dukhovni
1873 Two Sigma
1874
1875 Email: ietf-dane@dukhovni.org
1876
1877
1878 Wes Hardaker
1879 Parsons
1880 P.O. Box 382
1881 Davis, CA 95617
1882 United States
1883
1884 Email: ietf@hardakers.net
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906Dukhovni & Hardaker Standards Track [Page 34]
1907
1908