idnits 2.17.1 draft-ietf-dane-smtp-with-dane-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 26, 2015) is 3257 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-16) exists of draft-ietf-dane-ops-08 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Informational RFC: RFC 5598 ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DANE V. Dukhovni 3 Internet-Draft Two Sigma 4 Intended status: Standards Track W. Hardaker 5 Expires: November 27, 2015 Parsons 6 May 26, 2015 8 SMTP security via opportunistic DANE TLS 9 draft-ietf-dane-smtp-with-dane-18 11 Abstract 13 This memo describes a downgrade-resistant protocol for SMTP transport 14 security between Mail Transfer Agents (MTAs) based on the DNS-Based 15 Authentication of Named Entities (DANE) TLSA DNS record. Adoption of 16 this protocol enables an incremental transition of the Internet email 17 backbone to one using encrypted and authenticated Transport Layer 18 Security (TLS). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on November 27, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.2. Background . . . . . . . . . . . . . . . . . . . . . . . 5 57 1.3. SMTP channel security . . . . . . . . . . . . . . . . . . 6 58 1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 6 59 1.3.2. Insecure server name without DNSSEC . . . . . . . . . 7 60 1.3.3. Sender policy does not scale . . . . . . . . . . . . 8 61 1.3.4. Too many certification authorities . . . . . . . . . 8 62 2. Identifying applicable TLSA records . . . . . . . . . . . . . 8 63 2.1. DNS considerations . . . . . . . . . . . . . . . . . . . 9 64 2.1.1. DNS errors, bogus and indeterminate responses . . . . 9 65 2.1.2. DNS error handling . . . . . . . . . . . . . . . . . 11 66 2.1.3. Stub resolver considerations . . . . . . . . . . . . 11 67 2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 13 68 2.2.1. MX resolution . . . . . . . . . . . . . . . . . . . . 14 69 2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 15 70 2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 17 71 3. DANE authentication . . . . . . . . . . . . . . . . . . . . . 19 72 3.1. TLSA certificate usages . . . . . . . . . . . . . . . . . 19 73 3.1.1. Certificate usage DANE-EE(3) . . . . . . . . . . . . 20 74 3.1.2. Certificate usage DANE-TA(2) . . . . . . . . . . . . 21 75 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) . . . . 22 76 3.2. Certificate matching . . . . . . . . . . . . . . . . . . 23 77 3.2.1. DANE-EE(3) name checks . . . . . . . . . . . . . . . 23 78 3.2.2. DANE-TA(2) name checks . . . . . . . . . . . . . . . 23 79 3.2.3. Reference identifier matching . . . . . . . . . . . . 25 80 4. Server key management . . . . . . . . . . . . . . . . . . . . 25 81 5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26 82 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 26 83 7. Note on DANE for Message User Agents . . . . . . . . . . . . 27 84 8. Interoperability considerations . . . . . . . . . . . . . . . 27 85 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 27 86 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28 87 9. Operational Considerations . . . . . . . . . . . . . . . . . 28 88 9.1. Client Operational Considerations . . . . . . . . . . . . 28 89 9.2. Publisher Operational Considerations . . . . . . . . . . 29 90 10. Security Considerations . . . . . . . . . . . . . . . . . . . 29 91 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30 92 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 93 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 94 13.1. Normative References . . . . . . . . . . . . . . . . . . 31 95 13.2. Informative References . . . . . . . . . . . . . . . . . 32 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 98 1. Introduction 100 This memo specifies a new connection security model for Message 101 Transfer Agents (MTAs). This model is motivated by key features of 102 inter-domain SMTP delivery, in particular the fact that the 103 destination server is selected indirectly via DNS Mail Exchange (MX) 104 records and that neither email addresses nor MX hostnames signal a 105 requirement for either secure or cleartext transport. Therefore, 106 aside from a few manually configured exceptions, SMTP transport 107 security is of necessity opportunistic (for a definition of 108 "Opportunistic Security" see [RFC7435]). 110 This specification uses the presence of DANE TLSA records to securely 111 signal TLS support and to publish the means by which SMTP clients can 112 successfully authenticate legitimate SMTP servers. This becomes 113 "opportunistic DANE TLS" and is resistant to downgrade and man-in- 114 the-middle (MITM) attacks. It enables an incremental transition of 115 the email backbone to authenticated TLS delivery, with increased 116 global protection as adoption increases. 118 With opportunistic DANE TLS, traffic from SMTP clients to domains 119 that publish "usable" DANE TLSA records in accordance with this memo 120 is authenticated and encrypted. Traffic from legacy clients or to 121 domains that do not publish TLSA records will continue to be sent in 122 the same manner as before, via manually configured security, (pre- 123 DANE) opportunistic TLS or just cleartext SMTP. 125 Problems with existing use of TLS in MTA to MTA SMTP that motivate 126 this specification are described in Section 1.3. The specification 127 itself follows in Section 2 and Section 3 which describe respectively 128 how to locate and use DANE TLSA records with SMTP. In Section 6, we 129 discuss application of DANE TLS to destinations for which channel 130 integrity and confidentiality are mandatory. In Section 7 we briefly 131 comment on potential applicability of this specification to Message 132 User Agents. 134 1.1. Terminology 136 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 137 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 138 "OPTIONAL" in this document are to be interpreted as described in 139 [RFC2119]. 141 The following terms or concepts are used through the document: 143 Man-in-the-middle or MITM attack: Active modification of network 144 traffic by an adversary able to thereby compromise the 145 confidentiality or integrity of the data. 147 Downgrade attack: (From [RFC4949]). A type of man-in-the-middle 148 attack in which the attacker can cause two parties, at the time 149 they negotiate a security association, to agree on a lower level 150 of protection than the highest level that could have been 151 supported by both of them. 153 Downgrade-resistant: A protocol is "downgrade-resistant" if it 154 employs effective counter-measures against downgrade attacks. 156 secure, bogus, insecure, indeterminate: DNSSEC validation results, 157 as defined in Section 4.3 of [RFC4035]. 159 Validating Security-Aware Stub Resolver and Non-Validating 160 Security-Aware Stub Resolver: 161 Capabilities of the stub resolver in use as defined in [RFC4033]; 162 note that this specification requires the use of a Security-Aware 163 Stub Resolver. 165 (pre-DANE) opportunistic TLS: Best-effort use of TLS that is 166 generally vulnerable to DNS forgery and STARTTLS downgrade 167 attacks. When a TLS-encrypted communication channel is not 168 available, message transmission takes place in the clear. MX 169 record indirection generally precludes authentication even when 170 TLS is available. 172 opportunistic DANE TLS: Best-effort use of TLS, resistant to 173 downgrade attacks for destinations with DNSSEC-validated TLSA 174 records. When opportunistic DANE TLS is determined to be 175 unavailable, clients should fall back to opportunistic TLS. 176 Opportunistic DANE TLS requires support for DNSSEC, DANE and 177 STARTTLS on the client side and STARTTLS plus a DNSSEC published 178 TLSA record on the server side. 180 reference identifier: (Special case of [RFC6125] definition). One 181 of the domain names associated by the SMTP client with the 182 destination SMTP server for performing name checks on the server 183 certificate. When name checks are applicable, at least one of the 184 reference identifiers MUST match an [RFC6125] DNS-ID (or if none 185 are present the [RFC6125] CN-ID) of the server certificate (see 186 Section 3.2.3). 188 MX hostname: The RRDATA of an MX record consists of a 16 bit 189 preference followed by a Mail Exchange domain name (see [RFC1035], 190 Section 3.3.9). We will use the term "MX hostname" to refer to 191 the latter, that is, the DNS domain name found after the 192 preference value in an MX record. Thus an "MX hostname" is 193 specifically a reference to a DNS domain name, rather than any 194 host that bears that name. 196 delayed delivery: Email delivery is a multi-hop store & forward 197 process. When an MTA is unable to forward a message that may 198 become deliverable later the message is queued and delivery is 199 retried periodically. Some MTAs may be configured with a fallback 200 next-hop destination that handles messages that the MTA would 201 otherwise queue and retry. When a fallback next-hop is 202 configured, messages that would otherwise have to be delayed may 203 be sent to the fallback next-hop destination instead. The 204 fallback destination may itself be subject to opportunistic or 205 mandatory DANE TLS (Section 6) as though it were the original 206 message destination. 208 original next hop destination: The logical destination for mail 209 delivery. By default this is the domain portion of the recipient 210 address, but MTAs may be configured to forward mail for some or 211 all recipients via designated relays. The original next hop 212 destination is, respectively, either the recipient domain or the 213 associated configured relay. 215 MTA: Message Transfer Agent ([RFC5598], Section 4.3.2). 217 MSA: Message Submission Agent ([RFC5598], Section 4.3.1). 219 MUA: Message User Agent ([RFC5598], Section 4.2.1). 221 RR: A DNS Resource Record as defined in [RFC1034], Section 3.6. 223 RRSet: An RRSet ([RFC2181], Section 5) is a group of DNS resource 224 records that share the same label, class and type. 226 1.2. Background 228 The Domain Name System Security Extensions (DNSSEC) add data origin 229 authentication, data integrity and data non-existence proofs to the 230 Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034] 231 and [RFC4035]. 233 As described in the introduction of [RFC6698], TLS authentication via 234 the existing public Certification Authority (CA) PKI suffers from an 235 over-abundance of trusted parties capable of issuing certificates for 236 any domain of their choice. DANE leverages the DNSSEC infrastructure 237 to publish public keys and certificates for use with the Transport 238 Layer Security (TLS) [RFC5246] protocol via the "TLSA" DNS record 239 type. With DNSSEC each domain can only vouch for the keys of its 240 delegated sub-domains. 242 The TLS protocol enables secure TCP communication. In the context of 243 this memo, channel security is assumed to be provided by TLS. Used 244 without authentication, TLS provides only privacy protection against 245 eavesdropping attacks. Otherwise, TLS also provides data origin 246 authentication to guard against MITM attacks. 248 1.3. SMTP channel security 250 With HTTPS, Transport Layer Security (TLS) employs X.509 certificates 251 [RFC5280] issued by one of the many Certification Authorities (CAs) 252 bundled with popular web browsers to allow users to authenticate 253 their "secure" websites. Before we specify a new DANE TLS security 254 model for SMTP, we will explain why a new security model is needed. 255 In the process, we will explain why the familiar HTTPS security model 256 is inadequate to protect inter-domain SMTP traffic. 258 The subsections below outline four key problems with applying 259 traditional Web PKI to SMTP that are addressed by this specification. 260 Since SMTP channel security policy is not explicitly specified in 261 either the recipient address or the MX record, a new signaling 262 mechanism is required to indicate when channel security is possible 263 and should be used. The publication of TLSA records allows server 264 operators to securely signal to SMTP clients that TLS is available 265 and should be used. DANE TLSA makes it possible to simultaneously 266 discover which destination domains support secure delivery via TLS 267 and how to verify the authenticity of the associated SMTP services, 268 providing a path forward to ubiquitous SMTP channel security. 270 1.3.1. STARTTLS downgrade attack 272 The Simple Mail Transfer Protocol (SMTP) [RFC5321] is a single-hop 273 protocol in a multi-hop store & forward email delivery process. An 274 SMTP envelope recipient address does not correspond to a specific 275 transport-layer endpoint address, rather at each relay hop the 276 transport-layer endpoint is the next-hop relay, while the envelope 277 recipient address typically remains the same. Unlike the Hypertext 278 Transfer Protocol (HTTP) and its corresponding secured version, 279 HTTPS, where the use of TLS is signaled via the URI scheme, email 280 recipient addresses do not directly signal transport security policy. 281 Indeed, no such signaling could work well with SMTP since TLS 282 encryption of SMTP protects email traffic on a hop-by-hop basis while 283 email addresses could only express end-to-end policy. 285 With no mechanism available to signal transport security policy, SMTP 286 relays employ a best-effort "opportunistic" security model for TLS. 287 A single SMTP server TCP listening endpoint can serve both TLS and 288 non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS 289 command ([RFC3207]). The server signals TLS support to the client 290 over a cleartext SMTP connection, and, if the client also supports 291 TLS, it may negotiate a TLS encrypted channel to use for email 292 transmission. The server's indication of TLS support can be easily 293 suppressed by an MITM attacker. Thus pre-DANE SMTP TLS security can 294 be subverted by simply downgrading a connection to cleartext. No TLS 295 security feature can prevent this. The attacker can simply disable 296 TLS. 298 1.3.2. Insecure server name without DNSSEC 300 With SMTP, DNS Mail Exchange (MX) records abstract the next-hop 301 transport endpoint and allow administrators to specify a set of 302 target servers to which SMTP traffic should be directed for a given 303 domain. 305 A TLS client is vulnerable to MITM attacks unless it verifies that 306 the server's certificate binds the public key to a name that matches 307 one of the client's reference identifiers. A natural choice of 308 reference identifier is the server's domain name. However, with 309 SMTP, server names are not directly encoded in the recipient address, 310 instead they are obtained indirectly via MX records. Without DNSSEC, 311 the MX lookup is vulnerable to MITM and DNS cache poisoning attacks. 312 Active attackers can forge DNS replies with fake MX records and can 313 redirect email to servers with names of their choice. Therefore, 314 secure verification of SMTP TLS certificates matching the server name 315 is not possible without DNSSEC. 317 One might try to harden TLS for SMTP against DNS attacks by using the 318 envelope recipient domain as a reference identifier and by requiring 319 each SMTP server to possess a trusted certificate for the envelope 320 recipient domain rather than the MX hostname. Unfortunately, this is 321 impractical as email for many domains is handled by third parties 322 that are not in a position to obtain certificates for all the domains 323 they serve. Deployment of the Server Name Indication (SNI) extension 324 to TLS (see [RFC6066] Section 3) is no panacea, since SNI key 325 management is operationally challenging except when the email service 326 provider is also the domain's registrar and its certificate issuer; 327 this is rarely the case for email. 329 Since the recipient domain name cannot be used as the SMTP server 330 reference identifier, and neither can the MX hostname without DNSSEC, 331 large-scale deployment of authenticated TLS for SMTP requires that 332 the DNS be secure. 334 Since SMTP security depends critically on DNSSEC, it is important to 335 point out that consequently SMTP with DANE is the most conservative 336 possible trust model. It trusts only what must be trusted and no 337 more. Adding any other trusted actors to the mix can only reduce 338 SMTP security. A sender may choose to further harden DNSSEC for 339 selected high-value receiving domains by configuring explicit trust 340 anchors for those domains instead of relying on the chain of trust 341 from the root domain. However, detailed discussion of DNSSEC 342 security practices is out of scope for this document. 344 1.3.3. Sender policy does not scale 346 Sending systems are in some cases explicitly configured to use TLS 347 for mail sent to selected peer domains, but this requires configuring 348 sending MTAs with appropriate subject names or certificate content 349 digests from their peer domains. Due to the resulting administrative 350 burden, such statically configured SMTP secure channels are used 351 rarely (generally only between domains that make bilateral 352 arrangements with their business partners). Internet email, on the 353 other hand, requires regularly contacting new domains for which 354 security configurations cannot be established in advance. 356 The abstraction of the SMTP transport endpoint via DNS MX records, 357 often across organization boundaries, limits the use of public CA PKI 358 with SMTP to a small set of sender-configured peer domains. With 359 little opportunity to use TLS authentication, sending MTAs are rarely 360 configured with a comprehensive list of trusted CAs. SMTP services 361 that support STARTTLS often deploy X.509 certificates that are self- 362 signed or issued by a private CA. 364 1.3.4. Too many certification authorities 366 Even if it were generally possible to determine a secure server name, 367 the SMTP client would still need to verify that the server's 368 certificate chain is issued by a trusted Certification Authority (a 369 trust anchor). MTAs are not interactive applications where a human 370 operator can make a decision (wisely or otherwise) to selectively 371 disable TLS security policy when certificate chain verification 372 fails. With no user to "click OK", the MTA's list of public CA trust 373 anchors would need to be comprehensive in order to avoid bouncing 374 mail addressed to sites that employ unknown Certification 375 Authorities. 377 On the other hand, each trusted CA can issue certificates for any 378 domain. If even one of the configured CAs is compromised or operated 379 by an adversary, it can subvert TLS security for all destinations. 380 Any set of CAs is simultaneously both overly inclusive and not 381 inclusive enough. 383 2. Identifying applicable TLSA records 384 2.1. DNS considerations 386 2.1.1. DNS errors, bogus and indeterminate responses 388 An SMTP client that implements opportunistic DANE TLS per this 389 specification depends critically on the integrity of DNSSEC lookups, 390 as discussed in Section 1.3.2. This section lists the DNS resolver 391 requirements needed to avoid downgrade attacks when using 392 opportunistic DANE TLS. 394 A DNS lookup may signal an error or return a definitive answer. A 395 security-aware resolver MUST be used for this specification. 396 Security-aware resolvers will indicate the security status of a DNS 397 RRSet with one of four possible values defined in Section 4.3 of 398 [RFC4035]: "secure", "insecure", "bogus" and "indeterminate". In 399 [RFC4035] the meaning of the "indeterminate" security status is: 401 An RRSet for which the resolver is not able to determine whether 402 the RRSet should be signed, as the resolver is not able to obtain 403 the necessary DNSSEC RRs. This can occur when the security-aware 404 resolver is not able to contact security-aware name servers for 405 the relevant zones. 407 Note, the "indeterminate" security status has a conflicting 408 definition in section 5 of [RFC4033]. 410 There is no trust anchor that would indicate that a specific 411 portion of the tree is secure. 413 In this document the term "indeterminate" will be used exclusively in 414 the [RFC4035] sense. Therefore, obtaining "indeterminate" lookup 415 results is a (transient) failure condition, namely, the inability to 416 locate the relevant DNS records. DNS records that would be 417 classified "indeterminate" in the sense of [RFC4035] are simply 418 classified as "insecure". 420 We do not need to distinguish between zones that lack a suitable 421 ancestor trust anchor, and delegations (ultimately) from a trust- 422 anchor that designate a child zone as being "insecure". All 423 "insecure" RRSets MUST be handled identically: in either case 424 unvalidated data for the query domain is all that is and can be 425 available, and authentication using the data is impossible. As the 426 DNS root zone has been signed, we expect that validating resolvers 427 used by Internet-facing MTAs will be configured with trust anchor 428 data for the root zone, and that therefore domains with no ancestor 429 trust anchor will not be possible in most deployments. 431 As noted in section 4.3 of [RFC4035], a security-aware DNS resolver 432 MUST be able to determine whether a given non-error DNS response is 433 "secure", "insecure", "bogus" or "indeterminate". It is expected 434 that most security-aware stub resolvers will not signal an 435 "indeterminate" security status (in the sense of RFC4035) to the 436 application, and will signal a "bogus" or error result instead. If a 437 resolver does signal an RFC4035 "indeterminate" security status, this 438 MUST be treated by the SMTP client as though a "bogus" or error 439 result had been returned. 441 An MTA making use of a non-validating security-aware stub resolver 442 MAY use the stub resolver's ability, if available, to signal DNSSEC 443 validation status based on information the stub resolver has learned 444 from an upstream validating recursive resolver. Security-Oblivious 445 stub-resolvers ([RFC4033]) MUST NOT be used. In accordance with 446 section 4.9.3 of [RFC4035]: 448 ... a security-aware stub resolver MUST NOT place any reliance on 449 signature validation allegedly performed on its behalf, except 450 when the security-aware stub resolver obtained the data in question 451 from a trusted security-aware recursive name server via a secure 452 channel. 454 To avoid much repetition in the text below, we will pause to explain 455 the handling of "bogus" or "indeterminate" DNSSEC query responses. 456 These are not necessarily the result of a malicious actor; they can, 457 for example, occur when network packets are corrupted or lost in 458 transit. Therefore, "bogus" or "indeterminate" replies are equated 459 in this memo with lookup failure. 461 There is an important non-failure condition we need to highlight in 462 addition to the obvious case of the DNS client obtaining a non-empty 463 "secure" or "insecure" RRSet of the requested type. Namely, it is 464 not an error when either "secure" or "insecure" non-existence is 465 determined for the requested data. When a DNSSEC response with a 466 validation status that is either "secure" or "insecure" reports 467 either no records of the requested type or non-existence of the query 468 domain, the response is not a DNS error condition. The DNS client 469 has not been left without an answer; it has learned that records of 470 the requested type do not exist. 472 Security-aware stub resolvers will, of course, also signal DNS lookup 473 errors in other cases, for example when processing a "ServFail" 474 RCODE, which will not have an associated DNSSEC status. All lookup 475 errors are treated the same way by this specification, regardless of 476 whether they are from a "bogus" or "indeterminate" DNSSEC status or 477 from a more generic DNS error: the information that was requested 478 cannot be obtained by the security-aware resolver at this time. A 479 lookup error is thus a failure to obtain the relevant RRSet if it 480 exists, or to determine that no such RRSet exists when it does not. 482 In contrast to a "bogus" or an "indeterminate" response, an 483 "insecure" DNSSEC response is not an error, rather, as explained 484 above, it indicates that the target DNS zone is either delegated as 485 an "insecure" child of a "secure" parent zone, or is not a descendant 486 of any of the configured DNSSEC trust anchors in use by the SMTP 487 client. "Insecure" results will leave the SMTP client with degraded 488 channel security, but do not stand in the way of message delivery. 489 See section Section 2.2 for further details. 491 2.1.2. DNS error handling 493 When a DNS lookup failure (error or "bogus" or "indeterminate" as 494 defined above) prevents an SMTP client from determining which SMTP 495 server or servers it should connect to, message delivery MUST be 496 delayed. This naturally includes, for example, the case when a 497 "bogus" or "indeterminate" response is encountered during MX 498 resolution. When multiple MX hostnames are obtained from a 499 successful MX lookup, but a later DNS lookup failure prevents network 500 address resolution for a given MX hostname, delivery may proceed via 501 any remaining MX hosts. 503 When a particular SMTP server is securely identified as the delivery 504 destination, a set of DNS lookups (Section 2.2) MUST be performed to 505 locate any related TLSA records. If any DNS queries used to locate 506 TLSA records fail (be it due to "bogus" or "indeterminate" records, 507 timeouts, malformed replies, ServFails, etc.), then the SMTP client 508 MUST treat that server as unreachable and MUST NOT deliver the 509 message via that server. If no servers are reachable, delivery is 510 delayed. 512 In what follows, we will only describe what happens when all relevant 513 DNS queries succeed. If any DNS failure occurs, the SMTP client MUST 514 behave as described in this section, by skipping the problem SMTP 515 server, or the problem destination. Queries for candidate TLSA 516 records are explicitly part of "all relevant DNS queries" and SMTP 517 clients MUST NOT continue to connect to an SMTP server or destination 518 whose TLSA record lookup fails. 520 2.1.3. Stub resolver considerations 522 SMTP clients that employ opportunistic DANE TLS to secure connections 523 to SMTP servers MUST NOT use Security-Oblivious ([RFC4033]) stub- 524 resolvers. 526 A note about DNAME aliases: a query for a domain name whose ancestor 527 domain is a DNAME alias returns the DNAME RR for the ancestor domain 528 along with a CNAME that maps the query domain to the corresponding 529 sub-domain of the target domain of the DNAME alias [RFC6672]. 530 Therefore, whenever we speak of CNAME aliases, we implicitly allow 531 for the possibility that the alias in question is the result of an 532 ancestor domain DNAME record. Consequently, no explicit support for 533 DNAME records is needed in SMTP software; it is sufficient to process 534 the resulting CNAME aliases. DNAME records only require special 535 processing in the validating stub-resolver library that checks the 536 integrity of the combined DNAME + CNAME reply. When DNSSEC 537 validation is handled by a local caching resolver, rather than the 538 MTA itself, even that part of the DNAME support logic is outside the 539 MTA. 541 When a stub resolver returns a response containing a CNAME alias that 542 does not also contain the corresponding query results for the target 543 of the alias, the SMTP client will need to repeat the query at the 544 target of the alias, and should do so recursively up to some 545 configured or implementation-dependent recursion limit. If at any 546 stage of CNAME expansion an error is detected, the lookup of the 547 original requested records MUST be considered to have failed. 549 Whether a chain of CNAME records was returned in a single stub 550 resolver response or via explicit recursion by the SMTP client, if at 551 any stage of recursive expansion an "insecure" CNAME record is 552 encountered, then it and all subsequent results (in particular, the 553 final result) MUST be considered "insecure" regardless of whether any 554 earlier CNAME records leading to the "insecure" record were "secure". 556 Note that a security-aware non-validating stub resolver may return to 557 the SMTP client an "insecure" reply received from a validating 558 recursive resolver that contains a CNAME record along with additional 559 answers recursively obtained starting at the target of the CNAME. In 560 this case, the only possible conclusion is that some record in the 561 set of records returned is "insecure", and it is in fact possible 562 that the initial CNAME record and a subset of the subsequent records 563 are "secure". 565 If the SMTP client needs to determine the security status of the DNS 566 zone containing the initial CNAME record, it may need to issue a 567 separate query of type "CNAME" that returns only the initial CNAME 568 record. In particular in Section 2.2.2 when insecure A or AAAA 569 records are found for an SMTP server via a CNAME alias, it may be 570 necessary to perform an additional CNAME query to determine whether 571 the DNS zone in which the alias is published is signed. 573 2.2. TLS discovery 575 As noted previously (in Section 1.3.1), opportunistic TLS with SMTP 576 servers that advertise TLS support via STARTTLS is subject to an MITM 577 downgrade attack. Also some SMTP servers that are not, in fact, TLS 578 capable erroneously advertise STARTTLS by default and clients need to 579 be prepared to retry cleartext delivery after STARTTLS fails. In 580 contrast, DNSSEC validated TLSA records MUST NOT be published for 581 servers that do not support TLS. Clients can safely interpret their 582 presence as a commitment by the server operator to implement TLS and 583 STARTTLS. 585 This memo defines four actions to be taken after the search for a 586 TLSA record returns secure usable results, secure unusable results, 587 insecure or no results or an error signal. The term "usable" in this 588 context is in the sense of Section 4.1 of [RFC6698]. Specifically, 589 if the DNS lookup for a TLSA record returns: 591 A secure TLSA RRSet with at least one usable record: Any connection 592 to the MTA MUST employ TLS encryption and MUST authenticate the 593 SMTP server using the techniques discussed in the rest of this 594 document. Failure to establish an authenticated TLS connection 595 MUST result in falling back to the next SMTP server or delayed 596 delivery. 598 A secure non-empty TLSA RRSet where all the records are unusable: 599 Any connection to the MTA MUST be made via TLS, but authentication 600 is not required. Failure to establish an encrypted TLS connection 601 MUST result in falling back to the next SMTP server or delayed 602 delivery. 604 An insecure TLSA RRSet or DNSSEC validated proof-of-non-existent TLSA 605 records: 606 A connection to the MTA SHOULD be made using (pre-DANE) 607 opportunistic TLS, this includes using cleartext delivery when the 608 remote SMTP server does not appear to support TLS. The MTA MAY 609 retry in cleartext when delivery via TLS fails either during the 610 handshake or even during data transfer. 612 Any lookup error: Lookup errors, including "bogus" and 613 "indeterminate", as explained in Section 2.1.1 MUST result in 614 falling back to the next SMTP server or delayed delivery. 616 An SMTP client MAY be configured to mandate DANE verified delivery 617 for some destinations. With mandatory DANE TLS (Section 6), delivery 618 proceeds only when "secure" TLSA records are used to establish an 619 encrypted and authenticated TLS channel with the SMTP server. 621 When the original next-hop destination is an address literal, rather 622 than a DNS domain, DANE TLS does not apply. Delivery proceeds using 623 any relevant security policy configured by the MTA administrator. 624 Similarly, when an MX RRSet incorrectly lists a network address in 625 lieu of an MX hostname, if an MTA chooses to connect to the network 626 address in the non-conformant MX record, DANE TLSA does not apply for 627 such a connection. 629 In the subsections that follow we explain how to locate the SMTP 630 servers and the associated TLSA records for a given next-hop 631 destination domain. We also explain which name or names are to be 632 used in identity checks of the SMTP server certificate. 634 2.2.1. MX resolution 636 In this section we consider next-hop domains that are subject to MX 637 resolution and have MX records. The TLSA records and the associated 638 base domain are derived separately for each MX hostname that is used 639 to attempt message delivery. DANE TLS can authenticate message 640 delivery to the intended next-hop domain only when the MX records are 641 obtained securely via a DNSSEC validated lookup. 643 MX records MUST be sorted by preference; an MX hostname with a worse 644 (numerically higher) MX preference that has TLSA records MUST NOT 645 preempt an MX hostname with a better (numerically lower) preference 646 that has no TLSA records. In other words, prevention of delivery 647 loops by obeying MX preferences MUST take precedence over channel 648 security considerations. Even with two equal-preference MX records, 649 an MTA is not obligated to choose the MX hostname that offers more 650 security. Domains that want secure inbound mail delivery need to 651 ensure that all their SMTP servers and MX records are configured 652 accordingly. 654 In the language of [RFC5321] Section 5.1, the original next-hop 655 domain is the "initial name". If the MX lookup of the initial name 656 results in a CNAME alias, the MTA replaces the initial name with the 657 resulting name and performs a new lookup with the new name. MTAs 658 typically support recursion in CNAME expansion, so this replacement 659 is performed repeatedly (up to the MTA's recursion limit) until the 660 ultimate non-CNAME domain is found. 662 If the MX RRSet (or any CNAME leading to it) is "insecure" (see 663 Section 2.1.1) and DANE TLS for the given destination is mandatory 664 (Section 6), delivery MUST be delayed. If the MX RRSet is "insecure" 665 and DANE TLS is not mandatory, the SMTP client is free to use pre- 666 DANE opportunistic TLS (possibly even cleartext). 668 Since the protocol in this memo is an "opportunistic security" 669 protocol ([RFC7435]) the SMTP client MAY elect to use DANE TLS (as 670 described in Section 2.2.2 below) even with MX hosts obtained via an 671 "insecure" MX RRSet. For example, when a hosting provider has a 672 signed DNS zone and publishes TLSA records for its SMTP servers, 673 hosted domains that are not signed may still benefit from the 674 provider's TLSA records. Deliveries via the provider's SMTP servers 675 will not be subject to active attacks when sending SMTP clients elect 676 to make use of the provider's TLSA records (active attacks that 677 tamper with the "insecure" MX RRSet are of course still possible in 678 this case). 680 When the MX records are not (DNSSEC) signed, an active attacker can 681 redirect SMTP clients to MX hosts of his choice. Such redirection is 682 tamper-evident when SMTP servers found via "insecure" MX records are 683 recorded as the next-hop relay in the MTA delivery logs in their 684 original (rather than CNAME expanded) form. Sending MTAs SHOULD log 685 unexpanded MX hostnames when these result from insecure MX lookups. 686 Any successful authentication via an insecurely determined MX host 687 MUST NOT be misrepresented in the mail logs as secure delivery to the 688 intended next-hop domain. 690 In the absence of DNS lookup errors (Section 2.1.1), if the MX RRSet 691 is not "insecure" then it is "secure", and the SMTP client MUST treat 692 each MX hostname as described in Section 2.2.2). When, for a given 693 MX hostname, no TLSA records are found, or only "insecure" TLSA 694 records are found, DANE TLSA is not applicable with the SMTP server 695 in question and delivery proceeds to that host as with pre-DANE 696 opportunistic TLS. To avoid downgrade attacks, any errors during 697 TLSA lookups MUST, as explained in Section 2.1.1, cause the SMTP 698 server in question to be treated as unreachable. 700 2.2.2. Non-MX destinations 702 This section describes the algorithm used to locate the TLSA records 703 and associated TLSA base domain for an input domain that is not 704 subject to MX resolution, that represents a hostname from a secure MX 705 RRSet, or that lacks MX records. Such domains include: 707 o Any host configured by the sending MTA administrator as the next- 708 hop relay for some or all domains, that is not subject to MX 709 resolution. 711 o When a domain has MX records, we treat each MX host listed in 712 those MX records as though it were a non-MX destination. That is, 713 in the same way as we would treat an administrator-configured 714 relay that handles mail for that domain. (Unlike administrator- 715 specified relays, MTAs are not required to support CNAME expansion 716 of next-hop names found via MX lookups). 718 o A next-hop destination domain subject to MX resolution that has no 719 MX records. In this case the domain's name is implicitly also its 720 sole SMTP server name. 722 Note that DNS queries with type TLSA are mishandled by load balancing 723 nameservers that serve the MX hostnames of some large email 724 providers. The DNS zones served by these nameservers are not signed 725 and contain no TLSA records, but queries for TLSA records fail, 726 rather than returning the non-existence of the requested TLSA 727 records. 729 To avoid problems delivering mail to domains whose SMTP servers are 730 served by the problem nameservers the SMTP client MUST perform any A 731 and/or AAAA queries for the destination before attempting to locate 732 the associated TLSA records. This lookup is needed in any case to 733 determine whether the destination domain is reachable and the DNSSEC 734 validation status of the chain of CNAME queries required to reach the 735 ultimate address records. 737 If no address records are found, the destination is unreachable. If 738 address records are found, but the DNSSEC validation status of the 739 first query response is "insecure" (see Section 2.1.3), the SMTP 740 client SHOULD NOT proceed to search for any associated TLSA records. 741 With the problem domains, TLSA queries will lead to DNS lookup errors 742 and cause messages to be consistently delayed and ultimately returned 743 to the sender. We don't expect to find any "secure" TLSA records 744 associated with a TLSA base domain that lies in an unsigned DNS zone. 745 Therefore, skipping TLSA lookups in this case will also reduce 746 latency with no detrimental impact on security. 748 If the A and/or AAAA lookup of the "initial name" yields a CNAME, we 749 replace it with the resulting name as if it were the initial name and 750 perform a lookup again using the new name. This replacement is 751 performed recursively (up to the MTA's recursion limit). 753 We consider the following cases for handling a DNS response for an A 754 or AAAA DNS lookup: 756 Not found: When the DNS queries for A and/or AAAA records yield 757 neither a list of addresses nor a CNAME (or CNAME expansion is not 758 supported) the destination is unreachable. 760 Non-CNAME: The answer is not a CNAME alias. If the address RRSet 761 is "secure", TLSA lookups are performed as described in 762 Section 2.2.3 with the initial name as the candidate TLSA base 763 domain. If no "secure" TLSA records are found, DANE TLS is not 764 applicable and mail delivery proceeds with pre-DANE opportunistic 765 TLS (which, being best-effort, degrades to cleartext delivery when 766 STARTTLS is not available or the TLS handshake fails). 768 Insecure CNAME: The input domain is a CNAME alias, but the ultimate 769 network address RRSet is "insecure" (see Section 2.1.1). If the 770 initial CNAME response is also "insecure", DANE TLS does not 771 apply. Otherwise, this case is treated just like the non-CNAME 772 case above, where a search is performed for a TLSA record with the 773 original input domain as the candidate TLSA base domain. 775 Secure CNAME: The input domain is a CNAME alias, and the ultimate 776 network address RRSet is "secure" (see Section 2.1.1). Two 777 candidate TLSA base domains are tried: the fully CNAME-expanded 778 initial name and, failing that, then the initial name itself. 780 In summary, if it is possible to securely obtain the full, CNAME- 781 expanded, DNSSEC-validated address records for the input domain, then 782 that name is the preferred TLSA base domain. Otherwise, the 783 unexpanded input-MX domain is the candidate TLSA base domain. When 784 no "secure" TLSA records are found at either the CNAME-expanded or 785 unexpanded domain, then DANE TLS does not apply for mail delivery via 786 the input domain in question. And, as always, errors, bogus or 787 indeterminate results for any query in the process MUST result in 788 delaying or abandoning delivery. 790 2.2.3. TLSA record lookup 792 For a particular SMTP server, the associated TLSA base domain is 793 either the server hostname or, when that hostname is an alias (CNAME 794 or DNAME), possibly its fully alias-expanded name if every stage in 795 the alias expansion is "secure". This yields either one or two 796 candidate TLSA base domains for the SMTP server. When there are two 797 candidate TLSA base domains, the alias-expanded domain name has a 798 higher precedence (is tried first). The first of these to yield a 799 "secure" TLSA RRSet is the final TLSA base domain. 801 Each candidate TLSA base domain (alias-expanded or original) is in 802 turn prefixed with service labels of the form "_._tcp". The 803 resulting domain name is used to issue a DNSSEC query with the query 804 type set to TLSA ([RFC6698] Section 7.1). 806 For SMTP, the destination TCP port is typically 25, but this may be 807 different with custom routes specified by the MTA administrator in 808 which case the SMTP client MUST use the appropriate number in the 809 "_" prefix in place of "_25". If, for example, the candidate 810 base domain is "mx.example.com", and the SMTP connection is to port 811 25, the TLSA RRSet is obtained via a DNSSEC query of the form: 813 _25._tcp.mx.example.com. IN TLSA ? 815 The query response may be a CNAME, or the actual TLSA RRSet. If the 816 response is a CNAME, the SMTP client (through the use of its 817 security-aware stub resolver) restarts the TLSA query at the target 818 domain, following CNAMEs as appropriate and keeps track of whether 819 the entire chain is "secure". If any "insecure" records are 820 encountered, or the TLSA records don't exist, the next candidate TLSA 821 base domain is tried instead. 823 If the ultimate response is a "secure" TLSA RRSet, then the candidate 824 TLSA base domain will be the actual TLSA base domain and the TLSA 825 RRSet will constitute the TLSA records for the destination. If none 826 of the candidate TLSA base domains yield "secure" TLSA records then 827 the SMTP client is free to use pre-DANE opportunistic TLS (possibly 828 even cleartext). 830 TLSA record publishers may leverage CNAMEs to reference a single 831 authoritative TLSA RRSet specifying a common Certification Authority 832 or a common end-entity certificate to be used with multiple TLS 833 services. Such CNAME expansion does not change the SMTP client's 834 notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is 835 a CNAME, the base domain remains mx.example.com and this is still the 836 reference identifier used together with the next-hop domain in peer 837 certificate name checks. 839 Note that shared end-entity certificate associations expose the 840 publishing domain to substitution attacks, where an MITM attacker can 841 reroute traffic to a different server that shares the same end-entity 842 certificate. Such shared end-entity TLSA records SHOULD be avoided 843 unless the servers in question are functionally equivalent or employ 844 mutually incompatible protocols (an active attacker gains nothing by 845 diverting client traffic from one such server to another). 847 A better example, employing a shared trust anchor rather than shared 848 end-entity certificates, is illustrated by the DNSSEC validated 849 records below: 851 example.com. IN MX 0 mx1.example.com. 852 example.com. IN MX 0 mx2.example.com. 853 _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com. 854 _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com. 855 tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c149a... 857 The SMTP servers mx1.example.com and mx2.example.com will be expected 858 to have certificates issued under a common trust anchor, but each MX 859 hostname's TLSA base domain remains unchanged despite the above CNAME 860 records. Correspondingly, each SMTP server will be associated with a 861 pair of reference identifiers consisting of its hostname plus the 862 next-hop domain "example.com". 864 If, during TLSA resolution (including possible CNAME indirection), at 865 least one "secure" TLSA record is found (even if not usable because 866 it is unsupported by the implementation or support is 867 administratively disabled), then the corresponding host has signaled 868 its commitment to implement TLS. The SMTP client MUST NOT deliver 869 mail via the corresponding host unless a TLS session is negotiated 870 via STARTTLS. This is required to avoid MITM STARTTLS downgrade 871 attacks. 873 As noted previously (in Section Section 2.2.2), when no "secure" TLSA 874 records are found at the fully CNAME-expanded name, the original 875 unexpanded name MUST be tried instead. This supports customers of 876 hosting providers where the provider's zone cannot be validated with 877 DNSSEC, but the customer has shared appropriate key material with the 878 hosting provider to enable TLS via SNI. Intermediate names that 879 arise during CNAME expansion that are neither the original, nor the 880 final name, are never candidate TLSA base domains, even if "secure". 882 3. DANE authentication 884 This section describes which TLSA records are applicable to SMTP 885 opportunistic DANE TLS and how to apply such records to authenticate 886 the SMTP server. With opportunistic DANE TLS, both the TLS support 887 implied by the presence of DANE TLSA records and the verification 888 parameters necessary to authenticate the TLS peer are obtained 889 together. In contrast to protocols where channel security policy is 890 set exclusively by the client, authentication via this protocol is 891 expected to be less prone to connection failure caused by 892 incompatible configuration of the client and server. 894 3.1. TLSA certificate usages 896 The DANE TLSA specification [RFC6698] defines multiple TLSA RR types 897 via combinations of 3 numeric parameters. The numeric values of 898 these parameters were later given symbolic names in [RFC7218]. The 899 rest of the TLSA record is the "certificate association data field", 900 which specifies the full or digest value of a certificate or public 901 key. 903 Since opportunistic DANE TLS will be used by non-interactive MTAs, 904 with no user to "press OK" when authentication fails, reliability of 905 peer authentication is paramount. Server operators are advised to 906 publish TLSA records that are least likely to fail authentication due 907 to interoperability or operational problems. Because DANE TLS relies 908 on coordinated changes to DNS and SMTP server settings, the best 909 choice of records to publish will depend on site-specific practices. 911 The certificate usage element of a TLSA record plays a critical role 912 in determining how the corresponding certificate association data 913 field is used to authenticate server's certificate chain. The next 914 two subsections explain the process for certificate usages DANE-EE(3) 915 and DANE-TA(2). The third subsection briefly explains why 916 certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with 917 opportunistic DANE TLS. 919 In summary, we RECOMMEND the use of "DANE-EE(3) SPKI(1) SHA2-256(1)", 920 with "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records as a second 921 choice, depending on site needs. See the following two subsections 922 for more details. Other combinations of TLSA parameters are either 923 explicitly unsupported, or offer little to recommend them over these 924 two. 926 3.1.1. Certificate usage DANE-EE(3) 928 Authentication via certificate usage DANE-EE(3) TLSA records involves 929 simply checking that the server's leaf certificate matches the TLSA 930 record. In particular the binding of the server public key to its 931 name is based entirely on the TLSA record association. The server 932 MUST be considered authenticated even if none of the names in the 933 certificate match the client's reference identity for the server. 935 The expiration date of the server certificate MUST be ignored: the 936 validity period of the TLSA record key binding is determined by the 937 validity interval of the TLSA record DNSSEC signature. 939 With DANE-EE(3), servers need not employ SNI (they may ignore the 940 client's SNI message) even when the server is known under independent 941 names that would otherwise require separate certificates. It is 942 instead sufficient for the TLSA RRSets for all the domains in 943 question to match the server's default certificate. Of course with 944 SMTP servers it is simpler still to publish the same MX hostname for 945 all the hosted domains. 947 For domains where it is practical to make coordinated changes in DNS 948 TLSA records during SMTP server key rotation, it is often best to 949 publish end-entity DANE-EE(3) certificate associations. DANE-EE(3) 950 certificates don't suddenly stop working when leaf or intermediate 951 certificates expire, and don't fail when the server operator neglects 952 to configure all the required issuer certificates in the server 953 certificate chain. 955 TLSA records published for SMTP servers SHOULD, in most cases, be 956 "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE 957 implementations are required to support SHA2-256, this record type 958 works for all clients and need not change across certificate renewals 959 with the same key. 961 3.1.2. Certificate usage DANE-TA(2) 963 Some domains may prefer to avoid the operational complexity of 964 publishing unique TLSA RRs for each TLS service. If the domain 965 employs a common issuing Certification Authority to create 966 certificates for multiple TLS services, it may be simpler to publish 967 the issuing authority as a trust anchor (TA) for the certificate 968 chains of all relevant services. The TLSA query domain (TLSA base 969 domain with port and protocol prefix labels) for each service issued 970 by the same TA may then be set to a CNAME alias that points to a 971 common TLSA RRSet that matches the TA. For example: 973 example.com. IN MX 0 mx1.example.com. 974 example.com. IN MX 0 mx2.example.com. 975 _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com. 976 _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com. 977 tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14.... 979 With usage DANE-TA(2) the server certificates will need to have names 980 that match one of the client's reference identifiers (see [RFC6125]). 981 The server MAY employ SNI to select the appropriate certificate to 982 present to the client. 984 SMTP servers that rely on certificate usage DANE-TA(2) TLSA records 985 for TLS authentication MUST include the TA certificate as part of the 986 certificate chain presented in the TLS handshake server certificate 987 message even when it is a self-signed root certificate. Many SMTP 988 servers are not configured with a comprehensive list of trust 989 anchors, nor are they expected to at any point in the future. Some 990 MTAs will ignore all locally trusted certificates when processing 991 usage DANE-TA(2) TLSA records. Thus even when the TA happens to be a 992 public Certification Authority known to the SMTP client, 993 authentication is likely to fail unless the TA certificate is 994 included in the TLS server certificate message. 996 With some SMTP server software it is not possible to configure the 997 server to include self-signed (root) CA certificates in the server 998 certificate chain. Such servers either MUST publish DANE-TA(2) 999 records for an intermediate certificate or MUST instead use DANE- 1000 EE(3) TLSA records. 1002 TLSA records with matching type Full(0) are discouraged. While these 1003 potentially obviate the need to transmit the TA certificate in the 1004 TLS server certificate message, client implementations may not be 1005 able to augment the server certificate chain with the data obtained 1006 from DNS, especially when the TLSA record supplies a bare key 1007 (selector SPKI(1)). Since the server will need to transmit the TA 1008 certificate in any case, server operators SHOULD publish TLSA records 1009 with a matching type other than Full(0) and avoid potential 1010 interoperability issues with large TLSA records containing full 1011 certificates or keys. 1013 TLSA Publishers employing DANE-TA(2) records SHOULD publish records 1014 with a selector of Cert(0). Such TLSA records are associated with 1015 the whole trust anchor certificate, not just with the trust anchor 1016 public key. In particular, the SMTP client SHOULD then apply any 1017 relevant constraints from the trust anchor certificate, such as, for 1018 example, path length constraints. 1020 While a selector of SPKI(1) may also be employed, the resulting TLSA 1021 record will not specify the full trust anchor certificate content, 1022 and elements of the trust anchor certificate other than the public 1023 key become mutable. This may, for example, allow a subsidiary CA to 1024 issue a chain that violates the trust anchor's path length or name 1025 constraints. 1027 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) 1029 Note, this section applies to MTA-to-MTA SMTP, which is normally on 1030 port 25. That is, to servers that are the SMTP servers for one or 1031 more destination domains. Other uses of SMTP, such as in MUA-to-MSA 1032 submission on ports 587 or 465 are out of scope for this document. 1033 Where those other uses also employ TLS opportunistically and/or 1034 depend on DNSSEC as a result of DNS-based discovery of service 1035 location, the relevant specifications should, as appropriate, arrive 1036 at similar conclusions. 1038 As noted in Section 1.3.1 and Section 1.3.2, sending MTAs cannot, 1039 without relying on DNSSEC for secure MX records and DANE for STARTTLS 1040 support signaling, perform server identity verification or prevent 1041 STARTTLS downgrade attacks. The use of PKIX CAs offers no added 1042 security since an attacker capable of compromising DNSSEC is free to 1043 replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with records 1044 bearing any convenient non-PKIX certificate usage. Finally, as 1045 explained in Section 1.3.4, there is no list of trusted CAs agreed by 1046 all MTAs, and no user to "click OK" when a server's CA is not trusted 1047 by a client. 1049 Therefore, TLSA records for the port 25 SMTP service used by client 1050 MTAs SHOULD NOT include TLSA RRs with certificate usage PKIX-TA(0) or 1051 PKIX-EE(1). SMTP client MTAs cannot be expected to be configured 1052 with a suitably complete set of trusted public CAs. Lacking a 1053 complete set of public CAs, MTA clients would not be able to verify 1054 the certificates of SMTP servers whose issuing root CAs are not 1055 trusted by the client. 1057 Opportunistic DANE TLS needs to interoperate without bilateral 1058 coordination of security settings between client and server systems. 1059 Therefore, parameter choices that are fragile in the absence of 1060 bilateral coordination are unsupported. Nothing is lost since the 1061 PKIX certificate usages cannot aid SMTP TLS security, they can only 1062 impede SMTP TLS interoperability. 1064 SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0) 1065 or PKIX-EE(1) is undefined. As with any other unsupported 1066 certificate usage, SMTP clients MAY treat such records as "unusable". 1068 3.2. Certificate matching 1070 When at least one usable "secure" TLSA record is found, the SMTP 1071 client MUST use TLSA records to authenticate the SMTP server. 1072 Messages MUST NOT be delivered via the SMTP server if authentication 1073 fails, otherwise the SMTP client is vulnerable to MITM attacks. 1075 3.2.1. DANE-EE(3) name checks 1077 The SMTP client MUST NOT perform certificate name checks with 1078 certificate usage DANE-EE(3); see Section 3.1.1 above. 1080 3.2.2. DANE-TA(2) name checks 1082 To match a server via a TLSA record with certificate usage DANE- 1083 TA(2), the client MUST perform name checks to ensure that it has 1084 reached the correct server. In all DANE-TA(2) cases the SMTP client 1085 MUST employ the TLSA base domain as the primary reference identifier 1086 for matching the server certificate. 1088 TLSA records for MX hostnames: If the TLSA base domain was obtained 1089 indirectly via a "secure" MX lookup (including any CNAME-expanded 1090 name of an MX hostname), then the original next-hop domain used in 1091 the MX lookup MUST be included as as a second reference 1092 identifier. The CNAME-expanded original next-hop domain MUST be 1093 included as a third reference identifier if different from the 1094 original next-hop domain. When the client MTA is employing DANE 1095 TLS security despite "insecure" MX redirection the MX hostname is 1096 the only reference identifier. 1098 TLSA records for Non-MX hostnames: If MX records were not used 1099 (e.g., if none exist) and the TLSA base domain is the CNAME- 1100 expanded original next-hop domain, then the original next-hop 1101 domain MUST be included as a second reference identifier. 1103 Accepting certificates with the original next-hop domain in addition 1104 to the MX hostname allows a domain with multiple MX hostnames to 1105 field a single certificate bearing a single domain name (i.e., the 1106 email domain) across all the SMTP servers. This also aids 1107 interoperability with pre-DANE SMTP clients that are configured to 1108 look for the email domain name in server certificates. For example, 1109 with "secure" DNS records as below: 1111 exchange.example.org. IN CNAME mail.example.org. 1112 mail.example.org. IN CNAME example.com. 1113 example.com. IN MX 10 mx10.example.com. 1114 example.com. IN MX 15 mx15.example.com. 1115 example.com. IN MX 20 mx20.example.com. 1116 ; 1117 mx10.example.com. IN A 192.0.2.10 1118 _25._tcp.mx10.example.com. IN TLSA 2 0 1 ... 1119 ; 1120 mx15.example.com. IN CNAME mxbackup.example.com. 1121 mxbackup.example.com. IN A 192.0.2.15 1122 ; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN) 1123 _25._tcp.mx15.example.com. IN TLSA 2 0 1 ... 1124 ; 1125 mx20.example.com. IN CNAME mxbackup.example.net. 1126 mxbackup.example.net. IN A 198.51.100.20 1127 _25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ... 1129 Certificate name checks for delivery of mail to exchange.example.org 1130 via any of the associated SMTP servers MUST accept at least the names 1131 "exchange.example.org" and "example.com", which are respectively the 1132 original and fully expanded next-hop domain. When the SMTP server is 1133 mx10.example.com, name checks MUST accept the TLSA base domain 1134 "mx10.example.com". If, despite the fact that MX hostnames are 1135 required to not be aliases, the MTA supports delivery via 1136 "mx15.example.com" or "mx20.example.com" then name checks MUST accept 1137 the respective TLSA base domains "mx15.example.com" and 1138 "mxbackup.example.net". 1140 3.2.3. Reference identifier matching 1142 When name checks are applicable (certificate usage DANE-TA(2)), if 1143 the server certificate contains a Subject Alternative Name extension 1144 ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- 1145 IDs are matched against the client's reference identifiers. The CN- 1146 ID ([RFC6125]) is only considered when no DNS-IDs are present. The 1147 server certificate is considered matched when one of its presented 1148 identifiers ([RFC5280]) matches any of the client's reference 1149 identifiers. 1151 Wildcards are valid in either DNS-IDs or the CN-ID when applicable. 1152 The wildcard character must be the entire first label of the DNS-ID 1153 or CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com" 1154 and "*smtp.example.com" are not. SMTP clients MUST support wildcards 1155 that match the first label of the reference identifier, with the 1156 remaining labels matching verbatim. For example, the DNS-ID 1157 "*.example.com" matches the reference identifier "mx1.example.com". 1158 SMTP clients MAY, subject to local policy allow wildcards to match 1159 multiple reference identifier labels, but servers cannot expect broad 1160 support for such a policy. Therefore any wildcards in server 1161 certificates SHOULD match exactly one label in either the TLSA base 1162 domain or the next-hop domain. 1164 4. Server key management 1166 Two TLSA records MUST be published before employing a new EE or TA 1167 public key or certificate, one matching the currently deployed key 1168 and the other matching the new key scheduled to replace it. Once 1169 sufficient time has elapsed for all DNS caches to expire the previous 1170 TLSA RRSet and related signature RRSets, servers may be configured to 1171 use the new EE private key and associated public key certificate or 1172 may employ certificates signed by the new trust anchor. 1174 Once the new public key or certificate is in use, the TLSA RR that 1175 matches the retired key can be removed from DNS, leaving only RRs 1176 that match keys or certificates in active use. 1178 As described in Section 3.1.2, when server certificates are validated 1179 via a DANE-TA(2) trust anchor, and CNAME records are employed to 1180 store the TA association data at a single location, the 1181 responsibility of updating the TLSA RRSet shifts to the operator of 1182 the trust anchor. Before a new trust anchor is used to sign any new 1183 server certificates, its certificate (digest) is added to the 1184 relevant TLSA RRSet. After enough time elapses for the original TLSA 1185 RRSet to age out of DNS caches, the new trust anchor can start 1186 issuing new server certificates. Once all certificates issued under 1187 the previous trust anchor have expired, its associated RRs can be 1188 removed from the TLSA RRSet. 1190 In the DANE-TA(2) key management model server operators do not 1191 generally need to update DNS TLSA records after initially creating a 1192 CNAME record that references the centrally operated DANE-TA(2) RRSet. 1193 If a particular server's key is compromised, its TLSA CNAME SHOULD be 1194 replaced with a DANE-EE(3) association until the certificate for the 1195 compromised key expires, at which point it can return to using a 1196 CNAME record. If the central trust anchor is compromised, all 1197 servers need to be issued new keys by a new TA, and an updated DANE- 1198 TA(2) TLSA RRSet needs to be published containing just the new TA. 1200 SMTP servers cannot expect broad CRL or OCSP support from SMTP 1201 clients. As outlined above, with DANE, compromised server or trust 1202 anchor keys can be "revoked" by removing them from the DNS without 1203 the need for client-side support for OCSP or CRLs. 1205 5. Digest algorithm agility 1207 While [RFC6698] specifies multiple digest algorithms, it does not 1208 specify a protocol by which the SMTP client and TLSA record publisher 1209 can agree on the strongest shared algorithm. Such a protocol would 1210 allow the client and server to avoid exposure to any deprecated 1211 weaker algorithms that are published for compatibility with less 1212 capable clients, but should be ignored when possible. Such a 1213 protocol is specified in [I-D.ietf-dane-ops]. SMTP clients and 1214 servers that implement this specification MUST comply with the 1215 requirements outlined under "Digest Algorithm Agility" in 1216 [I-D.ietf-dane-ops]. 1218 6. Mandatory TLS Security 1220 An MTA implementing this protocol may require a stronger security 1221 assurance when sending email to selected destinations. The sending 1222 organization may need to send sensitive email and/or may have 1223 regulatory obligations to protect its content. This protocol is not 1224 in conflict with such a requirement, and in fact can often simplify 1225 authenticated delivery to such destinations. 1227 Specifically, with domains that publish DANE TLSA records for their 1228 MX hostnames, a sending MTA can be configured to use the receiving 1229 domains's DANE TLSA records to authenticate the corresponding SMTP 1230 server. Authentication via DANE TLSA records is easier to manage, as 1231 changes in the receiver's expected certificate properties are made on 1232 the receiver end and don't require manually communicated 1233 configuration changes. With mandatory DANE TLS, when no usable TLSA 1234 records are found, message delivery is delayed. Thus, mail is only 1235 sent when an authenticated TLS channel is established to the remote 1236 SMTP server. 1238 Administrators of mail servers that employ mandatory DANE TLS need to 1239 carefully monitor their mail logs and queues. If a partner domain 1240 unwittingly misconfigures their TLSA records, disables DNSSEC, or 1241 misconfigures SMTP server certificate chains, mail will be delayed 1242 and may bounce if the issue is not resolved in a timely manner. 1244 7. Note on DANE for Message User Agents 1246 We note that the SMTP protocol is also used between Message User 1247 Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In 1248 [RFC6186] a protocol is specified that enables an MUA to dynamically 1249 locate the MSA based on the user's email address. SMTP connection 1250 security considerations for MUAs implementing [RFC6186] are largely 1251 analogous to connection security requirements for MTAs, and this 1252 specification could be applied largely verbatim with DNS MX records 1253 replaced by corresponding DNS Service (SRV) records 1254 [I-D.ietf-dane-srv]. 1256 However, until MUAs begin to adopt the dynamic configuration 1257 mechanisms of [RFC6186] they are adequately served by more 1258 traditional static TLS security policies. Specification of DANE TLS 1259 for Message User Agent (MUA) to Message Submission Agent (MSA) SMTP 1260 is left to future documents that focus specifically on SMTP security 1261 between MUAs and MSAs. 1263 8. Interoperability considerations 1265 8.1. SNI support 1267 To ensure that the server sends the right certificate chain, the SMTP 1268 client MUST send the TLS SNI extension containing the TLSA base 1269 domain. This precludes the use of the SSL 2.0 compatible SSL HELLO 1270 by the SMTP client. 1272 Each SMTP server MUST present a certificate chain (see [RFC5246] 1273 Section 7.4.2) that matches at least one of the TLSA records. The 1274 server MAY rely on SNI to determine which certificate chain to 1275 present to the client. Clients that don't send SNI information may 1276 not see the expected certificate chain. 1278 If the server's TLSA records match the server's default certificate 1279 chain, the server need not support SNI. In either case, the server 1280 need not include the SNI extension in its TLS HELLO as simply 1281 returning a matching certificate chain is sufficient. Servers MUST 1282 NOT enforce the use of SNI by clients, as the client may be using 1283 unauthenticated opportunistic TLS and may not expect any particular 1284 certificate from the server. If the client sends no SNI extension, 1285 or sends an SNI extension for an unsupported domain, the server MUST 1286 simply send some fallback certificate chain of its choice. The 1287 reason for not enforcing strict matching of the requested SNI 1288 hostname is that DANE TLS clients are typically willing to accept 1289 multiple server names, but can only send one name in the SNI 1290 extension. The server's fallback certificate may match a different 1291 name acceptable to the client, e.g., the original next-hop domain. 1293 8.2. Anonymous TLS cipher suites 1295 Since many SMTP servers either do not support or do not enable any 1296 anonymous TLS cipher suites, SMTP client TLS HELLO messages SHOULD 1297 offer to negotiate a typical set of non-anonymous cipher suites 1298 required for interoperability with such servers. An SMTP client 1299 employing pre-DANE opportunistic TLS MAY in addition include one or 1300 more anonymous TLS cipher suites in its TLS HELLO. SMTP servers, 1301 that need to interoperate with opportunistic TLS clients SHOULD be 1302 prepared to interoperate with such clients by either always selecting 1303 a mutually supported non-anonymous cipher suite or by correctly 1304 handling client connections that negotiate anonymous cipher suites. 1306 Note that while SMTP server operators are under no obligation to 1307 enable anonymous cipher suites, no security is gained by sending 1308 certificates to clients that will ignore them. Indeed support for 1309 anonymous cipher suites in the server makes audit trails more 1310 informative. Log entries that record connections that employed an 1311 anonymous cipher suite record the fact that the clients did not care 1312 to authenticate the server. 1314 9. Operational Considerations 1316 9.1. Client Operational Considerations 1318 An operational error on the sending or receiving side that cannot be 1319 corrected in a timely manner may, at times, lead to consistent 1320 failure to deliver time-sensitive email. The sending MTA 1321 administrator may have to choose between letting email queue until 1322 the error is resolved and disabling opportunistic or mandatory DANE 1323 TLS (Section 6) for one or more destinations. The choice to disable 1324 DANE TLS security should not be made lightly. Every reasonable 1325 effort should be made to determine that problems with mail delivery 1326 are the result of an operational error, and not an attack. A 1327 fallback strategy may be to configure explicit out-of-band TLS 1328 security settings if supported by the sending MTA. 1330 SMTP clients may deploy opportunistic DANE TLS incrementally by 1331 enabling it only for selected sites, or may occasionally need to 1332 disable opportunistic DANE TLS for peers that fail to interoperate 1333 due to misconfiguration or software defects on either end. Some 1334 implementations MAY support DANE TLS in an "audit only" mode in which 1335 failure to achieve the requisite security level is logged as a 1336 warning and delivery proceeds at a reduced security level. Unless 1337 local policy specifies "audit only" or that opportunistic DANE TLS is 1338 not to be used for a particular destination, an SMTP client MUST NOT 1339 deliver mail via a server whose certificate chain fails to match at 1340 least one TLSA record when usable TLSA records are found for that 1341 server. 1343 9.2. Publisher Operational Considerations 1345 Some MTAs enable STARTTLS selectively. For example they might only 1346 support STARTTLS with clients that have previously demonstrated 1347 "proper MTA behavior", for example by retrying the delivery of 1348 deferred messages (greylisting). If such an MTA publishes DANE TLSA 1349 records, sending MTAs that implement this specification will not 1350 attempt the initial cleartext SMTP transaction needed to establish 1351 the "proper MTA behavior", because they cannot establish the required 1352 channel security. Server operators MUST NOT implement selective 1353 STARTTLS if they also want to support DANE TLSA. 1355 TLSA Publishers MUST follow the guidelines in the "TLSA Publisher 1356 Requirements" section of [I-D.ietf-dane-ops]. 1358 TLSA Publishers SHOULD follow the TLSA publication size guidance 1359 found in [I-D.ietf-dane-ops] under "DANE DNS Record Size Guidelines". 1361 TLSA Publishers SHOULD follow the TLSA record TTL and signature 1362 lifetime recommendations found in [I-D.ietf-dane-ops] under 1363 "Operational Considerations". 1365 10. Security Considerations 1367 This protocol leverages DANE TLSA records to implement MITM resistant 1368 opportunistic security ([RFC7435]) for SMTP. For destination domains 1369 that sign their MX records and publish signed TLSA records for their 1370 MX hostnames, this protocol allows sending MTAs to securely discover 1371 both the availability of TLS and how to authenticate the destination. 1373 This protocol does not aim to secure all SMTP traffic, as that is not 1374 practical until DNSSEC and DANE adoption are universal. The 1375 incremental deployment provided by following this specification is a 1376 best possible path for securing SMTP. This protocol coexists and 1377 interoperates with the existing insecure Internet email backbone. 1379 The protocol does not preclude existing non-opportunistic SMTP TLS 1380 security arrangements, which can continue to be used as before via 1381 manual configuration with negotiated out-of-band key and TLS 1382 configuration exchanges. 1384 Opportunistic SMTP TLS depends critically on DNSSEC for downgrade 1385 resistance and secure resolution of the destination name. If DNSSEC 1386 is compromised, it is not possible to fall back on the public CA PKI 1387 to prevent MITM attacks. A successful breach of DNSSEC enables the 1388 attacker to publish TLSA usage 3 certificate associations, and 1389 thereby bypass any security benefit the legitimate domain owner might 1390 hope to gain by publishing usage 0 or 1 TLSA RRs. Given the lack of 1391 public CA PKI support in existing MTA deployments, avoiding 1392 certificate usages 0 and 1 simplifies implementation and deployment 1393 with no adverse security consequences. 1395 Implementations must strictly follow the portions of this 1396 specification that indicate when it is appropriate to initiate a non- 1397 authenticated connection or cleartext connection to a SMTP server. 1398 Specifically, in order to prevent downgrade attacks on this protocol, 1399 implementation must not initiate a connection when this specification 1400 indicates a particular SMTP server must be considered unreachable. 1402 11. IANA considerations 1404 This specification requires no support from IANA. 1406 12. Acknowledgements 1408 The authors would like to extend great thanks to Tony Finch, who 1409 started the original version of a DANE SMTP document. His work is 1410 greatly appreciated and has been incorporated into this document. 1411 The authors would like to additionally thank Phil Pennock for his 1412 comments and advice on this document. 1414 Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me 1415 to begin work on this memo and provided feedback on early drafts. 1416 Thanks to Patrick Koetter, Perry Metzger and Nico Williams for 1417 valuable review comments. Thanks also to Wietse Venema who created 1418 Postfix, and whose advice and feedback were essential to the 1419 development of the Postfix DANE implementation. 1421 13. References 1422 13.1. Normative References 1424 [I-D.ietf-dane-ops] 1425 Dukhovni, V. and W. Hardaker, "Updates to and Operational 1426 Guidance for the DANE Protocol", draft-ietf-dane-ops-08 1427 (work in progress), May 2015. 1429 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1430 STD 13, RFC 1034, November 1987. 1432 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1433 Requirement Levels", BCP 14, RFC 2119, March 1997. 1435 [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over 1436 Transport Layer Security", RFC 3207, February 2002. 1438 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1439 Rose, "DNS Security Introduction and Requirements", RFC 1440 4033, March 2005. 1442 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1443 Rose, "Resource Records for the DNS Security Extensions", 1444 RFC 4034, March 2005. 1446 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1447 Rose, "Protocol Modifications for the DNS Security 1448 Extensions", RFC 4035, March 2005. 1450 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1451 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1453 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1454 Housley, R., and W. Polk, "Internet X.509 Public Key 1455 Infrastructure Certificate and Certificate Revocation List 1456 (CRL) Profile", RFC 5280, May 2008. 1458 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 1459 October 2008. 1461 [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July 1462 2009. 1464 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 1465 Extension Definitions", RFC 6066, January 2011. 1467 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 1468 Verification of Domain-Based Application Service Identity 1469 within Internet Public Key Infrastructure Using X.509 1470 (PKIX) Certificates in the Context of Transport Layer 1471 Security (TLS)", RFC 6125, March 2011. 1473 [RFC6186] Daboo, C., "Use of SRV Records for Locating Email 1474 Submission/Access Services", RFC 6186, March 2011. 1476 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the 1477 DNS", RFC 6672, June 2012. 1479 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 1480 of Named Entities (DANE) Transport Layer Security (TLS) 1481 Protocol: TLSA", RFC 6698, August 2012. 1483 [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify 1484 Conversations about DNS-Based Authentication of Named 1485 Entities (DANE)", RFC 7218, April 2014. 1487 13.2. Informative References 1489 [I-D.ietf-dane-srv] 1490 Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- 1491 Based Authentication of Named Entities (DANE) TLSA Records 1492 with SRV Records", draft-ietf-dane-srv-14 (work in 1493 progress), April 2015. 1495 [RFC1035] Mockapetris, P., "Domain names - implementation and 1496 specification", STD 13, RFC 1035, November 1987. 1498 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 1499 Specification", RFC 2181, July 1997. 1501 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 1502 4949, August 2007. 1504 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", 1505 STD 72, RFC 6409, November 2011. 1507 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 1508 Most of the Time", RFC 7435, December 2014. 1510 Authors' Addresses 1511 Viktor Dukhovni 1512 Two Sigma 1514 Email: ietf-dane@dukhovni.org 1516 Wes Hardaker 1517 Parsons 1518 P.O. Box 382 1519 Davis, CA 95617 1520 US 1522 Email: ietf@hardakers.net