Mailing List Archive

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #1 from Jeremy Harris <jgh146exb@wizmail.org> ---
The option description in 30 is indeed wrong. I'll update that.

> If host matches hosts_require_dane # DANE "requested"
^^^ no, required

> skip host (i.e. bounce mail if it is the only MX)
^^^ fail the router. Bounces depend on other
considerations
> else GOTO regular_TLS
^^^ No.
" If it does not, the host will not be used; there is no
fallback to non-DANE or non-TLS. " - chapter 43.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #2 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/725900cda2676bad205fb9ff44e563332766479e

commit 725900cda2676bad205fb9ff44e563332766479e
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Sat Feb 27 19:01:07 2021 +0000
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Sat Feb 27 19:11:17 2021 +0000

docs: fix description of hosts_try_dane. bug 2704
----
doc/doc-docbook/spec.xfpt | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #3 from Andreas Metzler <eximusers@bebt.de> ---
(In reply to Jeremy Harris from comment #1)
[...]
> > If host matches hosts_require_dane # DANE "requested"
> ^^^ no, required
>
> > skip host (i.e. bounce mail if it is the only MX)
> ^^^ fail the router. Bounces depend on other
> considerations
> > else GOTO regular_TLS
> ^^^ No.
> " If it does not, the host will not be used; there is no
> fallback to non-DANE or non-TLS. " - chapter 43.

Hello,

This quoting was too selective. - Could you please post a corrected
clomplete pseudocode? I cannot specify exactly what is wrong/unclear
with the documentation (and come up with a patch) unless I have an
understanding of what exim actually does.


As I wrote, chapter 43 is exactly what I looked at and what was not that
helpful. ;-) Just for illustration, while keeping in mind that
"hosts_try_dane" defaults to *:

| A TLSA lookup will be done if either of the above options match and the
| host-lookup succeeded using DNSSEC. If a TLSA lookup is done and
| succeeds, a DANE-verified TLS connection will be required for the host.
| If it does not, the host will not be used; there is no fallback to
| non-DANE or non-TLS.

Which translates to
if ( (hosts_require_dane OR hosts_try_dane)
AND successful DNSSEC host-lookup) {
check for TLSA record
if there is a TLSA record
require DANE-verified TLS connection
else /* reading "If it does not" as "no TLSA found" */
skip host

So if this sentence was correct then exim would not deliver to hosts
with dnssec but without DANE (if exim uses dnssec). Which is not what
725900cda2676bad205fb9ff44e563332766479e says about hosts_try_dane:

| If built with DANE support, Exim will look up a TLSA record for any host
| matching the list, If one is found and that lookup was DNSSEC-validated,
| then Exim requires that a DANE-verified TLS connection is made for that
| host; there will be no fallback to in-clear communication.

if (hosts_try_dane AND successful DNSSEC host-lookup) {
check for DNSSECed TLSA record
if there is a DNSSECed TLSA record
require DANE-verified TLS connection
else /* no TLSA */
regular TLS

TIA, cu Andreas

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

On Sun, Feb 28, 2021 at 07:04:58AM +0000, admin--- via Exim-dev wrote:

> This quoting was too selective. - Could you please post a corrected
> clomplete pseudocode? I cannot specify exactly what is wrong/unclear
> with the documentation (and come up with a patch) unless I have an
> understanding of what exim actually does.

Regardless of what it does, in order to be a correct implementation
of DANE it SHOULD:

- When DANE is opportunistic (not apriori mandated by local
policy for some set of destinations that MUST have DANE
TLSA records):

- Check that the destination domain has DNSSEC-signed MX
records. If not, continue with normal opportunstic TLS.

- Check that the current MX host is in a DNSSEC-signed zone.
(Its A/AAAA records are signed or result from a CNAME
chain whose first "link" is DNSSEC signed).
If not, continue with normal opportunstic TLS.

- If the MX A/AAAA records are an end-to-end signed CNAME
chain (all links signed), then look for TLSA RRs first
at the end of the chain. If no TLSA records found there,
or if not a chain or chain not signed end-to-end, look
for TLSA RRs at the original MX name.

When looking for TLSA RRs, prepend _<port>._tcp to the
candidate "TLSA base domain", and check the status of
the answer:

* If signed TLSA RRs found (AD=1), bingo, use these.
* If NODATA or NXDOMAIN (secure or insecure), fine,
no TLSA records for this candidate base domain.
* If insecure answer, likewise.
* Any query status other than answers, NODATA, or
NXDOMAIN is a hard error for the MX host in question.
Continuing to use the MX host would open up downgrade
attacks.

- If no signed TLSA RRs found, continue with normal
opportunistic TLS.

- Otherwise, use the obtained TLSA records to require that
the MX host provides STARTTLS and refuse to downgrade to
cleartext.

- If any of the TLSA records are "usable", require that the
presented certificate chain validates against these TLSA
records. Most sensible server operators avoid all TLSA
usages other than "3 1 1" and "2 1 1", but the client
should be willing to validate any "2 [01] [012]" or
"3 [01] [012]" record. On authentication failure, terminate
the connection without delivering mail.

With "2 X [12]" records, the issuing CA certificate MUST be
included in the server's certificate chain message.

- If none of the TLSA records are usable, just enforce STARTTLS,
without authentication.

- When DANE is mandated by local policy, do all the above, but
never fallback to cleartext or unauthenticated TLS. Instead
just skip the MX host if signed TLSA records that authenticate
the remote chain are not available.

> | A TLSA lookup will be done if either of the above options match and the
> | host-lookup succeeded using DNSSEC. If a TLSA lookup is done and
> | succeeds, a DANE-verified TLS connection will be required for the host.
> | If it does not, the host will not be used; there is no fallback to
> | non-DANE or non-TLS.
>
> Which translates to
> if ( (hosts_require_dane OR hosts_try_dane)
> AND successful DNSSEC host-lookup) {
> check for TLSA record
> if there is a TLSA record
> require DANE-verified TLS connection
> else /* reading "If it does not" as "no TLSA found" */
> skip host

There is in the text you quote a failure to distinguish between two
types of "success":

A. The query did not fail, returning an answer, NODATA, or
NXDOMAIN.

B. The query returned a DNSSEC-validated non-empty answer.

If "A" fails, the host MUST be skipped, no fallback, ... If only "B"
fails, then unless DANE is *required*, the MX host should be used
with normal opportunstic TLS.

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #4 from Jeremy Harris <jgh146exb@wizmail.org> ---
if (host lookup was dnssec)
if (require dane or try dane)
do TLSA lookup
if (succeed TLSA)
if (TLSA lookup was dnssec)
require DANE-verified TLS connection
else
if (require dane)
do not make connection
else /* try dane */
ordinary connection
elif (nodata TLSA) /* or NOMATCH */
if (require dane)
do not make connection
else
ordinary connection
else (fail lookup TLSA)
do not make connection
else
if (require dane)
do not make connection
else /* try_dane, or unspecified */
ordinary connection

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #5 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
I'd want to do DANE for all hosts that are DNSSEC signed but not require it
otherwise.

(In reply to Jeremy Harris from comment #4)
> if (host lookup was dnssec)
> if (require dane or try dane)
> do TLSA lookup
> if (succeed TLSA)
> if (TLSA lookup was dnssec)
> require DANE-verified TLS connection
> else
> if (require dane)
> do not make connection

I'd need to set "hosts_require_dane = *" to get here.

> else /* try dane */
> ordinary connection
> elif (nodata TLSA) /* or NOMATCH */
> if (require dane)
> do not make connection

If this is signed then the NXDOMAIN is ok and it could proceed with
opportunistic TLS.

> else
> ordinary connection
> else (fail lookup TLSA)
> do not make connection
> else
> if (require dane)
> do not make connection

If I set "hosts_require_dane = *" then I end up here but I don't want that.

> else /* try_dane, or unspecified */
> ordinary connection

There doesn't appear to be a way to require DANE if there's a signed TLSA
result without also refusing connections when the host lookup is not signed.

I'd expect that if the host lookup is signed, the TLSA result must be signed
(either present or not present) and then strictly followed. As described above,
"hosts_try_dane = *" is insecure if the TLSA result is unsigned and
"hosts_require_dane = *" is too strict for general use.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

On Sat, Mar 06, 2021 at 11:04:57PM +0000, admin--- via Exim-dev wrote:

> https://bugs.exim.org/show_bug.cgi?id=2704
>
> --- Comment #5 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
> I'd want to do DANE for all hosts that are DNSSEC signed but not require it
> otherwise.

This makes no sense. On what basis would you expect to have TLSA
records for all MX hosts in DNSSEC-signed zones?

> There doesn't appear to be a way to require DANE if there's a signed TLSA
> result without also refusing connections when the host lookup is not signed.

You appear to be confused. DANE is *required* when there are signed
DANE TLSA records.

> I'd expect that if the host lookup is signed, the TLSA result must be signed
> (either present or not present) and then strictly followed.

That's not always true. Some zones have "insecure" denial of existence
via NSEC3 opt-out. Also, the TLSA qname could be a CNAME (perhaps
wildcard synthesised) into an unsigned zone.

> As described above, "hosts_try_dane = *" is insecure if the TLSA
> result is unsigned.

If there are no signed TLSA records, then DANE is not enforced. That's
correct. There's not much point in honouring unsigned TLSA records,
they're supposed to defend against *active* attacks. For passive
monitoring, just STARTTLS is enough. Active on-path attackers can just
return forged TLSA replies matching the certs of their MiTM stack.

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #6 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
>> There doesn't appear to be a way to require DANE if there's a signed TLSA
>> result without also refusing connections when the host lookup is not signed.
>
> You appear to be confused. DANE is *required* when there are signed
> DANE TLSA records.

I'm not confused. I am stating my understanding of the behaviour of Exim based
on Jeremy's comment.

There is a lack of information on when Exim sets the AD flag or how it
interprets responses. What is "TLSA lookup was dnssec" supposed to mean?

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #7 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
Given what "try" means for Exim generally, "hosts_try_dane" is probably not
named correctly.

It should be renamed to something like "hosts_enforce_dane" or "hosts_use_dane"
with a backward-compatibility alias for the old name.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #8 from Andreas Metzler <eximusers@bebt.de> ---
(In reply to Jeremy Harris from comment #4)
> if (host lookup was dnssec)
[...]

Thank you Jeremy!

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #9 from Jeremy Harris <jgh146exb@wizmail.org> ---
Assuming that DNSSEC was not disabled at build time:

Exim always includes RES_USE_DNSSEC in the resolver options. It uses
res_search() to ask for lookups. It looks at the AD bit in the answer
structure.

Apart from worrying about RES_TRUSTAD, and shenanigans with AA which you have
sometimes to take as a proxy for AD, that's it. "TLSA lookup was dnssec"
means "The response with the TLSA in had the AD bit set".

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #10 from Andreas Metzler <eximusers@bebt.de> ---
(In reply to Jeremy Harris from comment #4)
[...]

How about updating spec as follows?
----------------------
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 6ce9d87da..16ef527bd 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -30109,13 +30109,21 @@ those who use &%hosts_require_ocsp%&, should consider
the interaction with DANE

For client-side DANE there are three new smtp transport options,
&%hosts_try_dane%&, &%hosts_require_dane%&
and &%dane_require_tls_ciphers%&.
-The &"require"& variant will result in failure if the target host is not
-DNSSEC-secured. To get DNSSEC-secured hostname resolution, use
+The &"require"& variant will result in failure if DANE verification of the
+certificate fails or is not possible, like e.g. if the target host is not
+DNSSEC-secured. On the other hand &%hosts_try_dane%& will fall back to
+non-DANE if any of the necessary pre-conditions up to and including
+DNSSEC-secured lookup of the TLSA record are not met. - It will still fail
+without fallback to non-DANE if the preconditions are met but the server
+certificate cannot be verified against the data in the TLSA record.
+To get DNSSEC-secured hostname resolution, use
the &%dnssec_request_domains%& router or transport option.

DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA
records.

-A TLSA lookup will be done if either of the above options match and the
host-lookup succeeded using DNSSEC.
+A TLSA lookup will be done if either &%hosts_try_dane%& or
+&%hosts_require_dane%& options match (DANE "requested") and the host-lookup
+succeeded using DNSSEC.
If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
----------------------

It is not perfect since there is some duplicate information which is spelled
out more verbose later but it imho it clarifies things quite a bit.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##