Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

John R Levine <johnl@taugh.com> Sun, 04 April 2021 18:17 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC9FC3A13B9 for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 11:17:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=vm6JNZfm; dkim=pass (2048-bit key) header.d=taugh.com header.b=WJqXhgqO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH0pmjTdgi_I for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 11:17:35 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C6333A07A4 for <ietf-smtp@ietf.org>; Sun, 4 Apr 2021 11:17:35 -0700 (PDT)
Received: (qmail 54525 invoked from network); 4 Apr 2021 18:17:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=d4fb.606a02bd.k2104; bh=uk78X5R+f5tvWADVBPMXf7/wU2zFz56UZetz5qspeFE=; b=vm6JNZfmm4pAwUccfWmGQ7C7gfeeQlGA4tRXZaJjSTV/Q4sMHKRhCyqK94g8inH8iK2xd5bKtSGieZiaYv7ACidH2bfBxQzqzOkWy4d/0+StV4eZpEGBL4eLfbGPja0ePcd6vVl5/PFuHjYEwBjKecQVkv8uZh15+QCaWJo5P1B5B/TMda+Al0OSgMC/b4lAwA0pRMDr+bdje3HAi5hV2Jkszev5RS1wqtOw+HnrvTqQshwq/Eyi4iu3h4mEGv0xe3fkX2jD81LIfExusl6QIP5LpWdgCwssxuIeG6OYIu5sn8xwmOm+fyqlh4HxJEbRiYWYk09LbkuC4IsWrCK38Q==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=d4fb.606a02bd.k2104; bh=uk78X5R+f5tvWADVBPMXf7/wU2zFz56UZetz5qspeFE=; b=WJqXhgqOlIhnBmQo5UCxAp47cCiSG4Lw6e65XciUXPwH6yMqwaNvi5lwFDWUYORO+ZMmJfGWeZNU5J1wbEpZ7oy21WlCUqk9AS7Z2KKFtIUg0Ndk3oD1Uh0RoG1ES0HYHDgGLWLoOsBVzI2SNBUCtAsCxbOaCs1FjD5PAwGybz2/QVpUipv0Dp2oULj3rLW52r/qwf1hNwOR6En4N3lVOq+2QjG/cFpHB4GRe1/R8qPNsKCAzki6vl61F9P0XKd1puUQrok75SromwOMUK9bXw4sPuGemHLHBJKtgbHRjRmyP45SVD2MdIQ4GxKQoFwO1J4XpHPwYbZbCj71EtXt+A==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 04 Apr 2021 18:17:32 -0000
Received: by ary.qy (Postfix, from userid 501) id 2D34771F96BD; Sun, 4 Apr 2021 14:17:31 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id CF39671F969E; Sun, 4 Apr 2021 14:17:31 -0400 (EDT)
Date: 4 Apr 2021 14:17:31 -0400
Message-ID: <a232c63-bf8-2371-51e1-b64d119ad55d@taugh.com>
From: "John R Levine" <johnl@taugh.com>
To: "Kristijonas Lukas Bukauskas" <kr@n0.lt>, "John C Klensin" <john-ietf@jck.com>
Cc: ietf-smtp@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <e87c4a27cb86ec5b32f0539754c341f3@n0.lt>
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5> <e87c4a27cb86ec5b32f0539754c341f3@n0.lt>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/5rUGcfR8yuoc5MvrHPDydzkSOqA>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2021 18:17:41 -0000

On Sun, 4 Apr 2021, Kristijonas Lukas Bukauskas wrote:
> Shouldn't an MTA-STS validator do *exactly* what RFC8461, section 4.1 says:

That's not how standards work.  If you follow the standard, you should be 
able to interoperate with other people that follow it.  If you don't, the 
results are unpredictable.  We don't try to anticipate every possible 
mistake both because it is a waste of time and because it is impossible. 
I suppose it would be nice if Microsoft sent a better error message but 
that's not a bug I can get very excited about.

You know that pointing your MX at a CNAME is a mistake, so it'll fail at 
random.  It's a somewhat common mistake, but it's still a mistake.  If it 
were me, I would fix it and move on.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly