From 3cf61a54b7ce08389a85f5282fd86ca958b121b7 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 13 Jun 2014 13:57:05 -0400 Subject: [PATCH 1/3] Add alternatives section --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 6717f8b72..6e3d4212b 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,10 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs. +## Alternatives + +Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of a DANE solution easier. + ## Detailed design Senders need to know which target hosts are known to support STARTTLS, and how to authenticate them. Since the network cannot be trusted to provide this information, it must be communicated securely out-of-band. We will provide: From 51f90ffafb3e74406e24eb63e7f359ed0483b461 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 16 Jun 2014 18:26:56 +0000 Subject: [PATCH 2/3] Write policies based on address domain, not stripped mx-domain --- ConfigParser.py | 9 ++------- MTAConfigGenerator.py | 13 +++++++++---- starttls-everywhere.json | 5 ----- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index 206132293..072c7e8ff 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -59,10 +59,10 @@ class Config: raise ValueError, "Not a valid TLS version string: " + `value` self.tls_policies[domain]["min-tls-version"] = str(value) elif atr == "acceptable-mxs": + self.acceptable_mxs = val pass else: - sys.stderr.write("Uknown attribute: " + `atr` + "\n") - print self.tls_policies + sys.stderr.write("Unknown attribute: " + `atr` + "\n") def check_tls_policy_domains(self, val): if type(val) != dict: @@ -73,11 +73,6 @@ class Config: d = str(domain) # convert from unicode except: raise TypeError, "tls-policy domain not a string" + `domain` - if not d.startswith("*."): - raise ValueError, "tls-policy domains must start with *.; try *."+d - d = d.partition("*.")[2] - if not looks_like_a_domain(d): - raise ValueError, "tls-policy for something that a domain? " + d yield (d, policies) if __name__ == "__main__": diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index d5ec334ec..859095acc 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -114,10 +114,15 @@ class PostfixConfigGenerator(MTAConfigGenerator): def set_domainwise_tls_policies(self): self.policy_lines = [] - for domain, policy in self.policy_config.tls_policies.items(): - entry = domain + " encrypt" - if "min-tls-version" in policy: - entry += " " + policy["min-tls-version"] + for address_domain, properties in self.policy_config.acceptable_mxs.items(): + mx_list = properties["accept-mx-domains"] + if len(mx_list) > 1: + print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain + mx_domain = mx_list[0] + mx_policy = self.policy_config.tls_policies[mx_domain] + entry = address_domain + " encrypt" + if "min-tls-version" in mx_policy: + entry += " " + mx_policy["min-tls-version"] self.policy_lines.append(entry) f = open(DEFAULT_POLICY_FILE, "w") diff --git a/starttls-everywhere.json b/starttls-everywhere.json index d0e656186..a98a2293f 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -50,11 +50,6 @@ } }, "acceptable-mxs": { - "wp.pl": { - "accept-mx-domains": [ - "*.wp.pl" - ] - }, "yahoo.co.uk": { "accept-mx-domains": [ "*.yahoodns.net" From 67ee3b048876d1e27cdc21d29139afc1bb812b68 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 18 Jun 2014 12:32:17 -0400 Subject: [PATCH 3/3] Config format change - don't use * as it's misleading. --- config.json | 4 +-- starttls-everywhere.json | 58 ++++++++++++++++++++-------------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/config.json b/config.json index 1a9034545..05fc237bf 100644 --- a/config.json +++ b/config.json @@ -4,13 +4,13 @@ "author": "Electronic Frontier Foundation https://eff.org", "expires": 1404677353, "comment 2:": "epoch seconds", "tls-policies": { - "*.valid-example-recipient.com": { + ".valid-example-recipient.com": { "min-tls-version": "TLSv1.1" } }, "acceptable-mxs": { "valid-example-recipient.com": { - "accept-mx-domains": [ "*.valid-example-recipient.com" ] + "accept-mx-domains": [ ".valid-example-recipient.com" ] } } diff --git a/starttls-everywhere.json b/starttls-everywhere.json index a98a2293f..d00859d8c 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,50 +1,50 @@ { "tls-policies": { - "*.mx.aol.com": { + ".mx.aol.com": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.psmtp.com": { + ".psmtp.com": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.ukr.net": { + ".ukr.net": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.interia.pl": { + ".interia.pl": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.gmx.net": { + ".gmx.net": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.web.de": { + ".web.de": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.marktplaats.nl": { + ".marktplaats.nl": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.wp.pl": { + ".wp.pl": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.yahoodns.net": { + ".yahoodns.net": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.t-online.de": { + ".t-online.de": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.rambler.ru": { + ".rambler.ru": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.t.facebook.com": { + ".t.facebook.com": { "min-tls-version": "TLSv1", "require-tls": true } @@ -52,87 +52,87 @@ "acceptable-mxs": { "yahoo.co.uk": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "rocketmail.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "web.de": { "accept-mx-domains": [ - "*.web.de" + ".web.de" ] }, "sbcglobal.net": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "aol.com": { "accept-mx-domains": [ - "*.mx.aol.com" + ".mx.aol.com" ] }, "facebook.com": { "accept-mx-domains": [ - "*.t.facebook.com" + ".t.facebook.com" ] }, "sompo-japan.co.jp": { "accept-mx-domains": [ - "*.psmtp.com" + ".psmtp.com" ] }, "salesforce.com": { "accept-mx-domains": [ - "*.psmtp.com" + ".psmtp.com" ] }, "rambler.ru": { "accept-mx-domains": [ - "*.rambler.ru" + ".rambler.ru" ] }, "t-online.de": { "accept-mx-domains": [ - "*.t-online.de" + ".t-online.de" ] }, "gmx.net": { "accept-mx-domains": [ - "*.gmx.net" + ".gmx.net" ] }, "gmx.de": { "accept-mx-domains": [ - "*.gmx.net" + ".gmx.net" ] }, "ukr.net": { "accept-mx-domains": [ - "*.ukr.net" + ".ukr.net" ] }, "rogers.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "ymail.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "marktplaats.nl": { "accept-mx-domains": [ - "*.marktplaats.nl" + ".marktplaats.nl" ] }, "interia.pl": { "accept-mx-domains": [ - "*.interia.pl" + ".interia.pl" ] } }