Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Sam Varshavchik <mrsam@courier-mta.com> Thu, 01 April 2021 00:07 UTC

Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F593A1597 for <ietf-smtp@ietfa.amsl.com>; Wed, 31 Mar 2021 17:07:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.437
X-Spam-Level: *
X-Spam-Status: No, score=1.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVjKt_T4Zu42 for <ietf-smtp@ietfa.amsl.com>; Wed, 31 Mar 2021 17:07:45 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E613A3C50 for <ietf-smtp@ietf.org>; Wed, 31 Mar 2021 17:07:45 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8SMTPS id 00000000002C0015.0000000060650EC9.0000C5F9; Wed, 31 Mar 2021 20:07:36 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 000000000001E508.0000000060650EC8.0001AE14; Wed, 31 Mar 2021 20:07:36 -0400
References: <59a4ba6c024e3cdc2c10dc6edc673ef7@n0.lt>
Message-ID: <cone.1617235656.169201.109452.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Wed, 31 Mar 2021 20:07:36 -0400
Mime-Version: 1.0
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-109452-1617235656-0001"; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/KfEN0oIlMR4Py_VOxn2-kb1ux4Q>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 00:07:50 -0000

Kristijonas Lukas Bukauskas writes:

> Hello,
>
> I'm having an affair with one of the vendors as a sending MTA, honoring MTA- 
> STS (RFC 8461). Their response:
>
>
>
>
>    • Our TDS validation shows MX lookup for n0.lt returns n0.lt instead of
>    mx.n0.lt. It is consistent with what we are seeing with production. 

MX lookup for n0.lt. returns mx.n0.lt.

n0.lt.			269	IN	MX	10 mx.n0.lt.

The CNAME comes from A and AAAA lookups on mx.n0.lt. That's my understanding  
of how DNS works. If you look up a record, and there's a CNAME for it, you  
get the CNAME then the record for the alias (if trusted, else the onus is  
on you to rerun the query). If you look up a record and it exists, you get  
it. Whether the name is another hostname, and that hostname has a CNAME  
alias, that's not the road that's been traveled, yet.

>> Selecting an MX target host is regulated in a different RFC, namely and  
>> specifically in <URL:https://tools.ietf.org/html/rfc5321#section-5.1>RFC  
>> 5321 §5.1:

I don't see this as an MX selection issue but as an STS validation issue. My  
stack agrees that the STS policy is valid.

$ testmxlookup --dnssec n0.lt
Domain n0.lt:
STS: enforcing
Relay: mx.n0.lt, Priority: 10, Address: ::ffff:188.166.32.32 (DNSSEC)
Relay: mx.n0.lt, Priority: 10, Address: 2a03:b0c0:2:d0::d1b:a001 (DNSSEC)

CNAME here involves the resolution of the mx.n0.lt hostname. The n0.lt  
resolves to mx.n0.lt. Everything here passes my interpretation of STS  
verification rules.

> As advised by one of the authors of RFC 8461, I'm reaching out to the IETF  
> SMTP list for your opinions, namely if MTA-STS, in theory, should fail to  
> validate if an MX points to a CNAME. 

I see nothing in RFC 8461 that seems to disallow it. In fact, this statement  
seems rather unambiguous to me:

4.1.  MX Host Validation

   A receiving candidate MX host is valid according to an applied MTA-
   STS Policy if the MX record name matches one or more of the "mx"
   fields in the applied policy.  Matching is identical to the rules
   given in [RFC6125],

The "MX" record here is:

n0.lt.			300	IN	MX	10 mx.n0.lt.

That's the DNS record.

And it squares up with the policy file. And the "Server Identify Check"  
portion in rfc6125 seems to prohibit using CNAME aliases for hostname  
validation:

2.4.  Server Identity Check

   During the TLS negotiation, the client MUST check its understanding
   of the server hostname against the server's identity as presented in
   the server Certificate message, in order to prevent man-in-the-middle
   attacks.  Matching is performed according to these rules:

   o  The client MUST use the server hostname it used to open the
      connection as the value to compare against the server name as
      expressed in the server certificate.  The client MUST NOT use any
      form of the server hostname derived from an insecure remote source
      (e.g., insecure DNS lookup).  CNAME canonicalization is not done.

This seems to be consistent with traditional certificate validation rules:

www.yahoo.com.		60	IN	CNAME	new-fp-shed.wg1.b.yahoo.com.

My browser is happy to load https://www.yahoo.com, and validate the  
certificate for the CN of www.yahoo.com, instead of this alphabet soup.

An alternative interpretation here would have the result of the STS policy  
file validating n0.lt, but a TLS connection will need to validate a  
certificate for mx.n0.lt. In this case it wouldn't matter, the same cert  
works for both, but that doesn't quite add together, for me.