Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3
Kristijonas Lukas Bukauskas <kr@n0.lt> Fri, 02 April 2021 16:00 UTC
Return-Path: <kr@n0.lt>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DD283A1B43 for <ietf-smtp@ietfa.amsl.com>; Fri, 2 Apr 2021 09:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=n0.lt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExXJmlmeMPRb for <ietf-smtp@ietfa.amsl.com>; Fri, 2 Apr 2021 09:00:08 -0700 (PDT)
Received: from ixion.n0.lt (ixion.n0.lt [188.166.32.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BEE03A1B3D for <ietf-smtp@ietf.org>; Fri, 2 Apr 2021 09:00:08 -0700 (PDT)
Received: from webmail.n0.lt (localhost.localdomain [IPv6:::1]) by ixion.n0.lt (Postfix) with ESMTPSA id B7157FC427; Fri, 2 Apr 2021 16:00:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=n0.lt; s=default; t=1617379205; bh=i+qe6VEoQAwsq0zv7DLikKLGNUdmReARzrU10Mdu6A0=; h=From:To:Subject; b=iFogVwaBvsIN59Mlck6SKJoGeo5sCOodWX13ZPQ6UZAB6el90kiQ/6RbvKI5v4goT dqlFRFaSSHW/A5v/Vz9r96noy6bRZmR5zR5Nk19qzTdAtzZFh4qbrzo9KqsaIl29Up XAcmcLIttotXroG2JV8/cH8mqI3kor+ATSYxE/JQ=
Authentication-Results: ixion; spf=pass (sender IP is ::1) smtp.mailfrom=kr@n0.lt smtp.helo=webmail.n0.lt
Received-SPF: pass (ixion: connection is authenticated)
MIME-Version: 1.0
Date: Fri, 02 Apr 2021 19:00:05 +0300
From: Kristijonas Lukas Bukauskas <kr@n0.lt>
To: hsantos@isdg.net
Cc: ietf-smtp@ietf.org
In-Reply-To: <606733B6.3080609@isdg.net>
References: <59a4ba6c024e3cdc2c10dc6edc673ef7@n0.lt> <606733B6.3080609@isdg.net>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <1fef5201d846d503151e4e63fda10e97@n0.lt>
X-Sender: kr@n0.lt
Content-Type: multipart/alternative; boundary="=_622170d0e52fb77c09d7ac04cd700e95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/Fym4UynIXbo3XxClTmj8UljKgLY>
Subject: Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 16:00:14 -0000
On 2021-04-02 18:09, Hector Santos wrote: > If the receiver administrative policy is causing a pain and they don't > see that you may not be the only one with MX->CNAME records and they > do exist, they won't make an exception, then you're only left with one > thing - comply with the 2181 specification. This is the their recent response: > As my colleagues who investigated this issued communicated, our > position is that this is primarily due > to what we believe to be a non-RFC compliant MX record. > Regardless of the liberal acceptance of this for regular mail, in this > case, our implementation of MTA- > STS is not as liberal. > Treating this as a feature request to support such behaviour leads us > to evaluate the importance of such work. Viktor's numbers (~0.3% +/- > 0.1% of MX records are CNAMEs) clearly shows this is not an urgent or > critical matter threatening the ecosystem and deployment of MTA-STS and > therefore we have rejected the > request. > I urge you to fix your MX record. I still have a concern regarding an error returned in their aggregated TLS report: > {"organization-name":"Microsoft > Corporation","date-range":{"start-datetime":"2021-03-31T00:00:00Z","end- > datetime":"2021-03-31T23:59:59Z"},"contact-info":"tlsrpt-noreply@microsoft.com","report- > id":"132617776923269755+n0.lt","policies":[{"policy":{"policy-type":"sts","policy-string":["version: > STSv1","mode: enforce","mx: mx.n0.lt","max_age: > 84600"],"policy-domain":"n0.lt"},"summary":{"total- > successful-session-count":0,"total-failure-session-count":36},"failure-details":[{"result- > type":"certificate-host-mismatch","failed-session-count":36}]}]} Is this a correct error to return, even if with CNAME/MX? (SANs are n0.lt and *.n0.lt in my cert.) > "certificate-host-mismatch": This indicates that the certificate > presented did not adhere to the constraints specified in the MTA- > STS or DANE policy, e.g., if the MX hostname does not match any > identities listed in the subject alternative name (SAN) [RFC5280] [https://tools.ietf.org/html/rfc8460#section-4.3.1] > Good luck with your affair!! <g> Thank you! :) -- Regards, Kristijonas
- [ietf-smtp] MTS-STS validation when MX host point… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Mark Andrews
- Re: [ietf-smtp] MTS-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTA-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTA-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Hector Santos
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] CNAME considered harmful, was MTS… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Arnt Gulbrandsen
- Re: [ietf-smtp] CNAME considered harmful, was MTS… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Mark Andrews
- Re: [ietf-smtp] on liberality, was MTS-STS_valida… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] on liberality, was MTS-STS_valida… Dave Crocker
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Bron Gondwana
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Arnt Gulbrandsen
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas