Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Mark Andrews <marka@isc.org> Sun, 04 April 2021 21:03 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C3533A1A4D for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 14:03:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=C6oTd5mp; dkim=pass (1024-bit key) header.d=isc.org header.b=PsQVQ+Ol
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAYn8xHgHz0E for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 14:03:19 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 367693A1A4F for <ietf-smtp@ietf.org>; Sun, 4 Apr 2021 14:03:19 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id AACC93AB042; Sun, 4 Apr 2021 21:03:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1617570195; bh=d4qfy22rQgzIDDy5nqcjJ/VFX2fuyWLHmy3BZby9Mnk=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=C6oTd5mpwNzrX2BbiRLzuAthn4tLkAd9JSjyvJQ3Y3VlOaTAvmHPSN+YE+N8SOpok 2cjEztDm4CUuY8KZxWR0K0CRVMTrQfYcdsVwRcKo+7vRyh5krUeGQwqLgOE/4NtWXR 0GEdmuQbQIvHi+BcVHShGIel0tc3KQIK9KIkdyQk=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 579CA160077; Sun, 4 Apr 2021 21:03:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 387F4160050; Sun, 4 Apr 2021 21:03:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org 387F4160050
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1617570194; bh=hI3AXwTYluXRnBkumgkZuCOq8uwB9ODIT+hBvu4BeLM=; h=Content-Type:Content-Transfer-Encoding:From:Mime-Version:Subject: Date:Message-Id:To; b=PsQVQ+Olk9/mEmV2rv3lMcYlJVMHuRgciqDc4LI41b+6pOGpyF9BWOASB5Tw0AbnE MGmICfrgvZf9/o2V89Gg0c6Uv1KXk+YVSIvEj66C7l7GGNJMrwwGZAc7LT4eBHRK+T qq+1zyYfE6WOSQCX5hH6EBygVmDzf+VAnFl/gSvc=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ULUuAcKq0siX; Sun, 4 Apr 2021 21:03:14 +0000 (UTC)
Received: from [172.30.42.83] (n49-177-132-25.bla3.nsw.optusnet.com.au [49.177.132.25]) by zmx1.isc.org (Postfix) with ESMTPSA id B2897160079; Sun, 4 Apr 2021 21:03:13 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Mon, 5 Apr 2021 07:03:10 +1000
Message-Id: <8F9726BB-BA81-48F6-9812-0AC2C979E814@isc.org>
References: <014d4bd9-efa3-4a10-8b4d-c4f205336d2d@gulbrandsen.priv.no>
Cc: Kristijonas Lukas Bukauskas <kr@n0.lt>, ietf-smtp@ietf.org
In-Reply-To: <014d4bd9-efa3-4a10-8b4d-c4f205336d2d@gulbrandsen.priv.no>
To: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
X-Mailer: iPhone Mail (18D70)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/AAZQL2rFI3splzunbot1d-SUSgA>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating_RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2021 21:03:24 -0000

The rules about MX and CNAME are primarily there so a MTA can easily identify itself by name and not produce mail loops. If you are send email to a CNAME then you are using a name the MTA doesn’t know itself by so it can’t reject the MX and any equal or higher value MX. Lots of mail used to bounce because mail was sent to an alias.  

To do the same filtering with CNAMES you need to lookup address records for each MX target and check all the CNAMES targets as well for a match.  You go from a single MX lookup that has to work to MX plus multiple A and AAAA lookups that have to work and you have to describe the behavior when those lookups fail. 
-- 
Mark Andrews

> On 5 Apr 2021, at 06:31, Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> wrote:
> 
> What John Levine says.
> 
> You can say things like "those people should be liberal in what they accept and overlook my minor error" but sometimes you run into people who aren't conservative, just like you aren't conservative if you violate a rule knowingly. And sometimes you run into people who haven't tested their handling of the error you commit, and untested code breaks, that's a <beep> <beep> axiom.
> 
> Arnt
> 
> _______________________________________________
> ietf-smtp mailing list
> ietf-smtp@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-smtp