Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Kristijonas Lukas Bukauskas <> Fri, 02 April 2021 16:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8DD283A1B43 for <>; Fri, 2 Apr 2021 09:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ExXJmlmeMPRb for <>; Fri, 2 Apr 2021 09:00:08 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9BEE03A1B3D for <>; Fri, 2 Apr 2021 09:00:08 -0700 (PDT)
Received: from (localhost.localdomain [IPv6:::1]) by (Postfix) with ESMTPSA id B7157FC427; Fri, 2 Apr 2021 16:00:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1617379205; bh=i+qe6VEoQAwsq0zv7DLikKLGNUdmReARzrU10Mdu6A0=; h=From:To:Subject; b=iFogVwaBvsIN59Mlck6SKJoGeo5sCOodWX13ZPQ6UZAB6el90kiQ/6RbvKI5v4goT dqlFRFaSSHW/A5v/Vz9r96noy6bRZmR5zR5Nk19qzTdAtzZFh4qbrzo9KqsaIl29Up XAcmcLIttotXroG2JV8/cH8mqI3kor+ATSYxE/JQ=
Authentication-Results: ixion; spf=pass (sender IP is ::1)
Received-SPF: pass (ixion: connection is authenticated)
MIME-Version: 1.0
Date: Fri, 02 Apr 2021 19:00:05 +0300
From: Kristijonas Lukas Bukauskas <>
In-Reply-To: <>
References: <> <>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <>
Content-Type: multipart/alternative; boundary="=_622170d0e52fb77c09d7ac04cd700e95"
Archived-At: <>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Apr 2021 16:00:14 -0000

On 2021-04-02 18:09, Hector Santos wrote:

> If the receiver administrative policy is causing a pain and they don't
> see that you may not be the only one with MX->CNAME records and they
> do exist, they won't make an exception, then you're only left with one
> thing - comply with the 2181 specification.

This is the their recent response:

> As my colleagues who investigated this issued communicated, our 
> position is that this is primarily due
> to what we believe to be a non-RFC compliant MX record.
> Regardless of the liberal acceptance of this for regular mail, in this 
> case, our implementation of MTA-
> STS is not as liberal.
> Treating this as a feature request to support such behaviour leads us 
> to evaluate the importance of such work. Viktor's numbers (~0.3% +/- 
> 0.1% of MX records are CNAMEs) clearly shows this is not an urgent or 
> critical matter threatening the ecosystem and deployment of MTA-STS and 
> therefore we have rejected the
> request.
> I urge you to fix your MX record.

I still have a concern regarding an error returned in their aggregated 
TLS report:

> {"organization-name":"Microsoft 
> Corporation","date-range":{"start-datetime":"2021-03-31T00:00:00Z","end-
> datetime":"2021-03-31T23:59:59Z"},"contact-info":"","report-
> id":"","policies":[{"policy":{"policy-type":"sts","policy-string":["version:
> STSv1","mode: enforce","mx:","max_age: 
> 84600"],"policy-domain":""},"summary":{"total-
> successful-session-count":0,"total-failure-session-count":36},"failure-details":[{"result-
> type":"certificate-host-mismatch","failed-session-count":36}]}]}

Is this a correct error to return, even if with CNAME/MX? (SANs are and * in my cert.)

> "certificate-host-mismatch": This indicates that the certificate
> presented did not adhere to the constraints specified in the MTA-
> STS or DANE policy, e.g., if the MX hostname does not match any
> identities listed in the subject alternative name (SAN) [RFC5280]

> Good luck with your affair!! <g>

Thank you! :)