maddy

Fork https://github.com/foxcpp/maddy

git clone git://git.lin.moe/go/maddy.git

 1# Outbound delivery security
 2
 3maddy implements a number of schemes and protocols for discovery and
 4enforcement of security features supported by the recipient MTA.
 5
 6## Introduction to the problems of secure SMTP
 7
 8Outbound delivery security involves two independent problems:
 9
10- MX record authentication
11- TLS enforcement
12
13### MX record authentication
14
15When MTA wants to deliver a message to a mailbox at remote domain, it needs to
16discover the server to use for it. It is done through the lookup of DNS MX
17records for the recipient.
18
19Problem arises from the fact that DNS does not have any cryptographic
20protection and so any malicious actor can technically modify the response to
21contain any server. And MTA would use that server!
22
23There are two protocols that solve this problem: MTA-STS and DNSSEC.
24Former requires the MTA to verify used records against a list of rules published
25via HTTPS. Later cryptographically signs the records themselves.
26
27### TLS enforcement
28
29By default, server-server SMTP is unencrypted. If remote server supports TLS,
30it is advertised via the ESMTP extension named STARTTLS, but malicious actor
31controlling communication channel can hide the support for STARTTLS and sender
32MTA will have to use plaintext. There needs to be a out-of-band authenticated
33channel to indicate TLS support (and to require its use).
34
35MTA-STS and DANE solve this problem. In the first case, if policy is in
36"enforce" mode then MTA is required to use TLS when delivering messages to a
37remote server. DANE does pretty much the same thing, but using DNSSEC-signed
38TLSA records.
39
40## maddy policy details
41
42maddy defines two values indicating how "secure" delivery of message will be:
43
44- MX security level
45- TLS security level
46
47These values correspond to the problems described above. On delivery, the
48established connection to the remote server is "ranked" using these values and
49then they are compared against a number of policies (including local
50configuration). If the effective value is lower than the required one, the
51connection is closed and next candidate server is used. If all connections fail
52this way - the delivery is failed (or deferred if there was a temporary error
53when checking policies).
54
55Below is the table summarizing the security level values defined in maddy and
56protection they offer.
57
58| MX/TLS level  | None | Encrypted | Authenticated        |
59| ------------- | ---- | --------- | -------------------- |
60|     None      |  -   |    P      |      P               |
61|    MTA-STS    |  -   |    P      |      PA (see note 1) |
62|    DNSSEC     |  -   |    P      |      PA              |
63
64Legend: P - protects against passive attacks; A - protects against active
65attacks
66
67- MX level: None. MX candidate was returned as a result of DNS lookup for the
68  recipient domain, no additional checks done.
69- MX level: MTA-STS. Used MX matches the MTA-STS policy published by the
70  recipient domain (even one in testing mode).
71- MX level: DNSSEC. MX record is signed.
72
73- TLS level: None. Plaintext connection was established, TLS is not available
74  or failed.
75- TLS level: Encrypted. TLS connection was established, the server certificate
76  failed X.509 and DANE verification.
77- TLS level: Authenticated. TLS connection was established, the server
78  certificate passes X.509 **or** DANE verification.
79
80**Note 1:** Persistent attacker able to control network connection can
81interfere with policy refresh, downgrading protection to be secure only against
82passive attacks.
83
84## maddy security policies
85
86See [Remote MX delivery](/reference/targets/remote/) for description of configuration options available for each policy mechanism
87supported by maddy.
88
89[RFC 8461 Section 10.2]: https://www.rfc-editor.org/rfc/rfc8461.html#section-10.2 (SMTP MTA Strict Transport Security - 10.2. Preventing Policy Discovery)