Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Hector Santos <hsantos@isdg.net> Fri, 02 April 2021 15:09 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C25CC3A19CD for <ietf-smtp@ietfa.amsl.com>; Fri, 2 Apr 2021 08:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=BEFCxsc8; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=Ph4QnxME
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kewtx4bm2bVh for <ietf-smtp@ietfa.amsl.com>; Fri, 2 Apr 2021 08:09:54 -0700 (PDT)
Received: from mail.winserver.com (pop3.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED9FF3A19CB for <ietf-smtp@ietf.org>; Fri, 2 Apr 2021 08:09:52 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6148; t=1617376181; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=76uYbGdYOCqYkZ0s4Tg9pa6R59zf xiqRUgN7FaK6SHw=; b=BEFCxsc8f6OsrMUxMOR3Bw9eUNfs/B2aQ/slLQUbEHgk Ps2QWhthHowCUqsmdCSkG9ZwWyj0qSIUYQgSFj3CEEllNrpc2ZALl0ViaFeYNcRU 02ZTRT8ehthWVy/4rh4l4q5oqs+TZ0l6HoWPalnWEAHcpRdV5hwxKZtYV/XpiHs=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for ietf-smtp@ietf.org; Fri, 02 Apr 2021 10:09:41 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1409362907.16729.3920; Fri, 02 Apr 2021 10:09:40 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6148; t=1617376171; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=76uYbGd YOCqYkZ0s4Tg9pa6R59zfxiqRUgN7FaK6SHw=; b=Ph4QnxMEzDV7jmEOb+X1y8D QSKTOUz4r3Z648DyloctJ9xHHPAajOrZqZUapXQDgmcNZ7LXL2tWzsqUhp4rv1gI mbBEXdPTGfM0Mtjo4MmsBNejahTSeHLBVLIbUMvYVVkzEsYBOp31KPW4ptgiGGau CX2s+6BdJQ14ScsVWZVI=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for ietf-smtp@ietf.org; Fri, 02 Apr 2021 11:09:31 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2093014956.1.22064; Fri, 02 Apr 2021 11:09:29 -0400
Message-ID: <606733B6.3080609@isdg.net>
Date: Fri, 02 Apr 2021 11:09:42 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: ietf-smtp@ietf.org
References: <59a4ba6c024e3cdc2c10dc6edc673ef7@n0.lt>
In-Reply-To: <59a4ba6c024e3cdc2c10dc6edc673ef7@n0.lt>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/KQwf9HliokWDyAWCkgcK561y5FE>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 15:10:00 -0000

Affair?   Nice!!  <g>

As a SMTP developer, I have designed my DNS resolver to resolve CNAME 
even if it came during a MX query simply because they do exist in the 
wild and who I am to argue with a customer when it came to delivering 
mail,  "Oh I'm sorry but you can't sent mail because the destination 
is not following the rules."   CNAME is expanded as part of the IP 
expansion process to get a sorted list and all that before a Round 
Robin outbound session login begins. RFC2181 does suggest this can be 
expensive and I will say, that is probably mostly true back in 1997 
where even a PTR was expensive -- it is accepted today, if fact, 
increasingly required by many mail host.

I don't follow RFC8461 so I have no generated no rules or a higher bar 
for MX-TST technical protocol requirements.  I don't know how it works 
(didn't read it).  But overall, administrators applying 8461 believing 
using a CNAME for MX as is reason for rejecting a transaction is a 
local policy concept.   It can happen. Even the ietf.org, a SDO, has 
applied SPAM associations with mail clients using legal EHLO 
[ip-literal] SMTP usage.  I am not going to change my SMTP compliance 
because the ietf.org mail administrators has refused to follow the 
RFC2821/5321 SMTP specs first and subjectively apply an general 
ip-literal usage restriction.  Its a local policy.  In our SMTP 
client, we send public DNS host name first, fallback to an ip-literal 
and/or an local site override is used. Doing a CBV check, an 
ip-literal is used to optimized CBV preparation.  We white listed the 
ietf.org site to stopped the CBV check on them.

Overall, Postel's law!!

"Be conservative in what you send, be liberal in what you accept"

If the receiver administrative policy is causing a pain and they don't 
see that you may not be the only one with MX->CNAME records and they 
do exist, they won't make an exception, then you're only left with one 
thing - comply with the 2181 specification.

Good luck with your affair!! <g>


On 3/31/2021 5:44 PM, Kristijonas Lukas Bukauskas wrote:
>
> Hello,
>
> I'm having an affair with one of the vendors as a sending MTA, 
> honoring MTA-STS (RFC 8461). Their response:
>
>      1. Our TDS validation shows MX lookup for n0.lt returns
>         *n0.lt* instead of*mx.n0.lt*. It is consistent with what we
>         are seeing with production.
>
>         /remote server(451 4.4.8 MX hosts of 'n0.lt' failed MTA-STS
>         validation.)' 3/24/2021 3:36:19 PM - Server at n0.lt
>         (0.0.0.0) returned '450 4.4.317 Cannot connect to remote
>         server [Message=451 4.4.8 MX hosts of 'n0.lt' failed MTA-STS
>         validation.] [LastAttemptedServerName=*n0.lt]*/
>      2. We can confirm that customer is not RFC compliant with MX
>         pointing to a CNAME and we don't think it is worth to change
>         the logic to accommodate that.
>      3. Customer does have an easy fix on their side, just to modify
>         their STS Policy to include n0.lt as one of the supported MX
>         record.
>
>
>
> My objections:
>
>
>> I'm familiar with a general prohibition, pursuant to RFC 2181 § 
>> 10.3 <https://tools.ietf.org/html/rfc2181#section-10.3>, for MX 
>> records to point to CNAMEs. Despite that, I do not believe that it 
>> should affect MX host validation in accordance with RFC 8 
>> <https://tools.ietf.org/html/rfc8461#section-4.1>461§4.1 
>> <https://tools.ietf.org/html/rfc8461#section-4.1>when selecting a 
>> target MX host, for the reasons of:
>>
>> 1.
>>
>>     RFC 2181 is an RFC on Clarifications to the DNS Specification,
>>     not SMTP.
>>
>> 2.
>>
>>     Selecting an MX target host is regulated in a different RFC,
>>     namely and specifically in RFC 5321 §5.1
>>     <https://tools.ietf.org/html/rfc5321#section-5.1>:
>>
>>
>>>     If MX records are present, but none of them are usable, this
>>>     situation MUST be reported as an error.<...> When a domain
>>>     name associated with an MX RR is looked up and the associated
>>>     data field obtained, the data field of that response *MUST
>>>     contain a domain name*. That domain name, when queried, MUST
>>>     return at least one address record (e.g., A or AAAA RR) that
>>>     gives the IP address of the SMTP server to which the message
>>>     should be directed. _*Any other response, specifically
>>>     including a value that will return a CNAME record when
>>>     queried, lies outside the scope of this Standard*_. The
>>>     prohibition on labels in the data that resolve to CNAMEs is
>>>     discussed in more detail in RFC 2181, Section 10.3 [38]
>>
>>
>> 2.
>>
>>     Thus, the prohibition of CNAMEs is *NOT* an SMTP or MTA-STS
>>     issue. As per the RFC 5321 §5.1, which is used to select an MX
>>     target host, pursuant to RFC 8461 §4.1 (MX Host validation),
>>     vendors are *NOT* allowed to choose a different host name (in
>>     my scenario, n0.lt instead of mx.n0.lt which is found in MX
>>     record). The situation MUST be reported as an error, if none of
>>     the found records are usuable. That MUST happened even if the
>>     target domain has not deployed MTA-STS. And this doesn’t seem
>>     to be the case. When MTA-STS is not deployed, Microsoft, as a
>>     sending MTA doesn’t return any errors.
>>
>> 3.
>>
>>     No major providers (including, but not limited to Gmail) nor
>>     publicly available MTA-STS tests (including, but not limited to
>>     My Email Communications Security Assessment (MECSA) by European
>>     Commission’s Joint Research Center) doesn’t select n0.lt
>>     instead of mx.n0.lt which is found in MX record nor does it
>>     show any errors, suggesting my interpretation of different RFCs
>>     is most likely correct.
>>
>
>
> As advised by one of the authors of RFC 8461, I'm reaching out to 
> the IETF SMTP list for your opinions, namely if MTA-STS, in theory, 
> should fail to validate if an MX points to a CNAME.
>
> Any insights would be much appreciated and thanked in advance. :)
>
> --
> Regards,
> Kristijonas
>
>
>
> _______________________________________________
> ietf-smtp mailing list
> ietf-smtp@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-smtp


-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos