diff --git a/ConfigParser.py b/ConfigParser.py index 541ff3f30..85b704d93 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -75,10 +75,11 @@ class Config: else: raise ValueError, "Not a known enoforcement policy " + `value` elif atr == "acceptable-mxs": - for domain, mxball in acceptable_mx: + self.acceptable_mxs = val + for domain, mxball in selg.acceptable_mxs: pass else: - sys.stderr.write("Uknown attribute: " + `atr` + "\n") + sys.stderr.write("Unknown attribute: " + `atr` + "\n") # XXX is it ever permissible to have a domain with an acceptable-mx # that does not point to a TLS security policy? If not, check/warn/fail # here @@ -93,11 +94,6 @@ class Config: d = str(domain) # convert from unicode except: raise TypeError, "tls-policy domain not a string" + `domain` - if not d.startswith("*."): - raise ValueError, "tls-policy domains must start with *.; try *."+d - d = d.partition("*.")[2] - if not looks_like_a_domain(d): - raise ValueError, "tls-policy for something that a domain? " + d yield (d, policies) if __name__ == "__main__": diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 1d322c8e9..54a5e5ab1 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -117,10 +117,15 @@ class PostfixConfigGenerator(MTAConfigGenerator): def set_domainwise_tls_policies(self): self.policy_lines = [] - for domain, policy in self.policy_config.tls_policies.items(): - entry = domain + " encrypt" - if "min-tls-version" in policy: - entry += " " + policy["min-tls-version"] + for address_domain, properties in self.policy_config.acceptable_mxs.items(): + mx_list = properties["accept-mx-domains"] + if len(mx_list) > 1: + print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain + mx_domain = mx_list[0] + mx_policy = self.policy_config.tls_policies[mx_domain] + entry = address_domain + " encrypt" + if "min-tls-version" in mx_policy: + entry += " " + mx_policy["min-tls-version"] self.policy_lines.append(entry) f = open(DEFAULT_POLICY_FILE, "w") diff --git a/README.md b/README.md index 530c3ea7b..e50630ab8 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,10 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs. +## Alternatives + +Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of a DANE solution easier. + ## Detailed design Senders need to know which target hosts are known to support STARTTLS, and how to authenticate them. Since the network cannot be trusted to provide this information, it must be communicated securely out-of-band. We will provide: diff --git a/config.json b/config.json index 1a9034545..05fc237bf 100644 --- a/config.json +++ b/config.json @@ -4,13 +4,13 @@ "author": "Electronic Frontier Foundation https://eff.org", "expires": 1404677353, "comment 2:": "epoch seconds", "tls-policies": { - "*.valid-example-recipient.com": { + ".valid-example-recipient.com": { "min-tls-version": "TLSv1.1" } }, "acceptable-mxs": { "valid-example-recipient.com": { - "accept-mx-domains": [ "*.valid-example-recipient.com" ] + "accept-mx-domains": [ ".valid-example-recipient.com" ] } } diff --git a/starttls-everywhere.json b/starttls-everywhere.json index df3ff41ab..4f52d1e39 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,149 +1,149 @@ { "tls-policies": { - "*.valid-example-recipient.com": { + ".valid-example-recipient.com": { "force-tls" : true }, - "*.mx.aol.com": { + ".mx.aol.com": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.psmtp.com": { + ".psmtp.com": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.ukr.net": { + ".ukr.net": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.interia.pl": { + ".interia.pl": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.gmx.net": { + ".gmx.net": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.web.de": { + ".web.de": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.marktplaats.nl": { + ".marktplaats.nl": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.wp.pl": { + ".wp.pl": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.yahoodns.net": { + ".yahoodns.net": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.t-online.de": { + ".t-online.de": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.rambler.ru": { + ".rambler.ru": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.t.facebook.com": { + ".t.facebook.com": { "min-tls-version": "TLSv1", "require-tls": true } }, "acceptable-mxs": { "valid-example-recipient.com": { - "accept-mx-domains": [ "*.valid-example-recipient.com" ] + "accept-mx-domains": [ ".valid-example-recipient.com" ] }, "wp.pl": { "accept-mx-domains": [ - "*.wp.pl" + ".wp.pl" ] }, "yahoo.co.uk": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "rocketmail.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "web.de": { "accept-mx-domains": [ - "*.web.de" + ".web.de" ] }, "sbcglobal.net": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "aol.com": { "accept-mx-domains": [ - "*.mx.aol.com" + ".mx.aol.com" ] }, "facebook.com": { "accept-mx-domains": [ - "*.t.facebook.com" + ".t.facebook.com" ] }, "sompo-japan.co.jp": { "accept-mx-domains": [ - "*.psmtp.com" + ".psmtp.com" ] }, "salesforce.com": { "accept-mx-domains": [ - "*.psmtp.com" + ".psmtp.com" ] }, "rambler.ru": { "accept-mx-domains": [ - "*.rambler.ru" + ".rambler.ru" ] }, "t-online.de": { "accept-mx-domains": [ - "*.t-online.de" + ".t-online.de" ] }, "gmx.net": { "accept-mx-domains": [ - "*.gmx.net" + ".gmx.net" ] }, "gmx.de": { "accept-mx-domains": [ - "*.gmx.net" + ".gmx.net" ] }, "ukr.net": { "accept-mx-domains": [ - "*.ukr.net" + ".ukr.net" ] }, "rogers.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "ymail.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "marktplaats.nl": { "accept-mx-domains": [ - "*.marktplaats.nl" + ".marktplaats.nl" ] }, "interia.pl": { "accept-mx-domains": [ - "*.interia.pl" + ".interia.pl" ] } }