Good morning postfix users, we at ungleich [0] plan to switch towards IPv6 only mail services in the near future and we would like to "revolutionise" the way how we handle mail while we do this step. This mail is to discuss the idea and get some feedback from the community of other postfix users.
In a nutshell the idea is to reuse the very
old, existing "trust of web" idea and mix it together with IPv6 only
mail services as follows resulting into the following setup:
- All participating mail servers are IPv6 only [1]
- Every participating entity has an OpenGPG keypair [2]
- Every mail server of an entity only accepts email, if the sending
mail server's public key is signed by a trusted key
- The definition of a trusted key is:
- We have signed and trusted [3] the key ("direct")
- The signing key is signed by us ("indirect-level-one˚)
- The signing key is signed by a key in the chain at a certain depth
("indirect-chain˚) [4]
- Additionally there might be a negative / exception in this stating:
A) if the key is X, refuse mail
- Note that this cannot apply to signatures, because anyone can sign a
key and if we were to refuse a key based on its signatures, a
blacklisted key could render valid keys invalid
B) if the key is X, ignore the chain created by it
- This prevents trusting signatures from a specific key, even if
the key is signed in our trust of web.
- This still allows for keys to be taken into our trusted web that are
signed
by this key by someone else we (in-)directly trust
The underlying assumption is as follows:
- This network of trusted entities starts very small
(in our case we sign a couple of friendly other ISPs in Switzerland, were we
are located at)
- Those ISPs do the same, so the network grows
- Eventually multiple networks join, when the first participant of
network A starts to sign a key of network B
- A decentralise approach as this one will help to build a more stable Internet
The reason why I am posting this to the postfix users mailing list is twofold:
- I'd like to hear what you think about the approach
- I was wondering what would be the best approach to incorporate this logic
into postfix
This is just an initial sketch, obviously there are some details to be
clarified:
- such as caching / pre-loading keys or dynamically loading the trust of web on
connection, etc.
- Should this be combined with additional information such as incorporating
signing networks
("the key for domain ungleich.ch signed information that mail is only sent
from networks a, b, c")
- How much the overlap is with SPF/DKIM/DNSSEC which are all somewhat helpful
- however none of them address the issue as a whitelist only
- Migration paths could be rather easily established. Existing mail providers
could add
an IPv6-only, signed mail services as described above to their infrastructure
and internally connect
it to the existing mail service. Mail coming in via this new service could be
labeled or marked as
"trusted source" thus giving users of a service the ability to receive mails
from trusted sites.
- One could argue that some users might even want to maintain their *own* trust
of web and thus this feature
could be a user based configuration option:
- if user has setup signing key -> use this one
- if not -> use system default
However this would be something way beyond a first PoC.
Looking forward to your feedback, any pointers are welcome.
Best regards,
Nico
[0] The guys at www.ungleich.ch.
[1] Not only is much cleaner, but also drops a lot of noise from current
spammers and gives a bit of breathing time until things are fully
working as expected.
[2] We can talk about x509, certs, other methods, but essentially the
feature set required is being able to publicly sign & trust other keys.
[3] The question is whether one needs to differentiate between signing
for delivery or signing for trusted the signing chain of the key. Not
having to differentiate would keep the system simpler, but might also
lead to allowing too much traffic in.
[4] The depth of the trust might be a local setting and should be
independent of the keychain itself. The expectation is that the trust
depth might be a setting needed to learn or even changed over time.
The more keys we sign, the less deep the chain has to be.
--
Sustainable and modern Infrastructures by ungleich.ch
signature.asc
Description: PGP signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
