Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Kristijonas Lukas Bukauskas <kr@n0.lt> Fri, 02 April 2021 16:00 UTC

Return-Path: <kr@n0.lt>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DD283A1B43 for <ietf-smtp@ietfa.amsl.com>; Fri, 2 Apr 2021 09:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=n0.lt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExXJmlmeMPRb for <ietf-smtp@ietfa.amsl.com>; Fri, 2 Apr 2021 09:00:08 -0700 (PDT)
Received: from ixion.n0.lt (ixion.n0.lt [188.166.32.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BEE03A1B3D for <ietf-smtp@ietf.org>; Fri, 2 Apr 2021 09:00:08 -0700 (PDT)
Received: from webmail.n0.lt (localhost.localdomain [IPv6:::1]) by ixion.n0.lt (Postfix) with ESMTPSA id B7157FC427; Fri, 2 Apr 2021 16:00:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=n0.lt; s=default; t=1617379205; bh=i+qe6VEoQAwsq0zv7DLikKLGNUdmReARzrU10Mdu6A0=; h=From:To:Subject; b=iFogVwaBvsIN59Mlck6SKJoGeo5sCOodWX13ZPQ6UZAB6el90kiQ/6RbvKI5v4goT dqlFRFaSSHW/A5v/Vz9r96noy6bRZmR5zR5Nk19qzTdAtzZFh4qbrzo9KqsaIl29Up XAcmcLIttotXroG2JV8/cH8mqI3kor+ATSYxE/JQ=
Authentication-Results: ixion; spf=pass (sender IP is ::1) smtp.mailfrom=kr@n0.lt smtp.helo=webmail.n0.lt
Received-SPF: pass (ixion: connection is authenticated)
MIME-Version: 1.0
Date: Fri, 02 Apr 2021 19:00:05 +0300
From: Kristijonas Lukas Bukauskas <kr@n0.lt>
To: hsantos@isdg.net
Cc: ietf-smtp@ietf.org
In-Reply-To: <606733B6.3080609@isdg.net>
References: <59a4ba6c024e3cdc2c10dc6edc673ef7@n0.lt> <606733B6.3080609@isdg.net>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <1fef5201d846d503151e4e63fda10e97@n0.lt>
X-Sender: kr@n0.lt
Content-Type: multipart/alternative; boundary="=_622170d0e52fb77c09d7ac04cd700e95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/Fym4UynIXbo3XxClTmj8UljKgLY>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 16:00:14 -0000

On 2021-04-02 18:09, Hector Santos wrote:

> If the receiver administrative policy is causing a pain and they don't
> see that you may not be the only one with MX->CNAME records and they
> do exist, they won't make an exception, then you're only left with one
> thing - comply with the 2181 specification.

This is the their recent response:

> As my colleagues who investigated this issued communicated, our 
> position is that this is primarily due
> to what we believe to be a non-RFC compliant MX record.
> Regardless of the liberal acceptance of this for regular mail, in this 
> case, our implementation of MTA-
> STS is not as liberal.
> Treating this as a feature request to support such behaviour leads us 
> to evaluate the importance of such work. Viktor's numbers (~0.3% +/- 
> 0.1% of MX records are CNAMEs) clearly shows this is not an urgent or 
> critical matter threatening the ecosystem and deployment of MTA-STS and 
> therefore we have rejected the
> request.
> I urge you to fix your MX record.

I still have a concern regarding an error returned in their aggregated 
TLS report:

> {"organization-name":"Microsoft 
> Corporation","date-range":{"start-datetime":"2021-03-31T00:00:00Z","end-
> datetime":"2021-03-31T23:59:59Z"},"contact-info":"tlsrpt-noreply@microsoft.com","report-
> id":"132617776923269755+n0.lt","policies":[{"policy":{"policy-type":"sts","policy-string":["version:
> STSv1","mode: enforce","mx: mx.n0.lt","max_age: 
> 84600"],"policy-domain":"n0.lt"},"summary":{"total-
> successful-session-count":0,"total-failure-session-count":36},"failure-details":[{"result-
> type":"certificate-host-mismatch","failed-session-count":36}]}]}

Is this a correct error to return, even if with CNAME/MX? (SANs are 
n0.lt and *.n0.lt in my cert.)

> "certificate-host-mismatch": This indicates that the certificate
> presented did not adhere to the constraints specified in the MTA-
> STS or DANE policy, e.g., if the MX hostname does not match any
> identities listed in the subject alternative name (SAN) [RFC5280]
  [https://tools.ietf.org/html/rfc8460#section-4.3.1]

> Good luck with your affair!! <g>

Thank you! :)

--
Regards,
Kristijonas