Re: [Uta] Interaction between MTA-STS and DANE

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [Uta] Interaction between MTA-STS and DANE

Viktor Dukhovni


> On Oct 23, 2017, at 12:17 PM, Ivan Ristic <[hidden email]> wrote:
>
> Not in practice. If you're not using vanity MX, it's obvious where the email
> is going.

Actually (ignoring for the moment the clear-text DNS query leak, which
DNSPRIV is supposed to address) the opposite is true.  When sending email
without SNI to any of the domains below the TLS network traffic looks
largely the same (no leak of the recipient domain).

We can only make progress on the pros/cons of SNI for SMTP STS if we
can get the basic facts straight.  The quoted text above is simply
wrong.

cleanis.nu. IN MX 0 cleanis-nu.mail.protection.outlook.com.
cleanis-nu.mail.protection.outlook.com. IN A 213.199.154.170
cleanis-nu.mail.protection.outlook.com. IN A 213.199.154.202

targetoo.co.uk. IN MX 0 targetoo-co-uk.mail.protection.outlook.com.
targetoo-co-uk.mail.protection.outlook.com. IN A 213.199.154.170
targetoo-co-uk.mail.protection.outlook.com. IN A 213.199.154.202

tib.nu. IN MX 0 tib-nu.mail.protection.outlook.com.
tib-nu.mail.protection.outlook.com. IN A 213.199.154.170
tib-nu.mail.protection.outlook.com. IN A 213.199.154.202

taberna.no. IN MX 10 taberna-no.mail.protection.outlook.com.
taberna-no.mail.protection.outlook.com. IN A 213.199.154.170
taberna-no.mail.protection.outlook.com. IN A 213.199.154.202

(IP addresses vary based on global DNS load balancers).

So SNI would add a privacy leak channel to SMTP TLS.  The same
leak presently exists for the DNS MX lookup, but that's
cached, so made less frequently, and may be at some point
in part addressed via DPRIV.

--
        Viktor.