Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3
Sam Varshavchik <mrsam@courier-mta.com> Thu, 01 April 2021 00:07 UTC
Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F593A1597 for <ietf-smtp@ietfa.amsl.com>; Wed, 31 Mar 2021 17:07:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.437
X-Spam-Level: *
X-Spam-Status: No, score=1.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVjKt_T4Zu42 for <ietf-smtp@ietfa.amsl.com>; Wed, 31 Mar 2021 17:07:45 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E613A3C50 for <ietf-smtp@ietf.org>; Wed, 31 Mar 2021 17:07:45 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8SMTPS id 00000000002C0015.0000000060650EC9.0000C5F9; Wed, 31 Mar 2021 20:07:36 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 000000000001E508.0000000060650EC8.0001AE14; Wed, 31 Mar 2021 20:07:36 -0400
References: <59a4ba6c024e3cdc2c10dc6edc673ef7@n0.lt>
Message-ID: <cone.1617235656.169201.109452.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Wed, 31 Mar 2021 20:07:36 -0400
Mime-Version: 1.0
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-109452-1617235656-0001"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/KfEN0oIlMR4Py_VOxn2-kb1ux4Q>
Subject: Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 00:07:50 -0000
Kristijonas Lukas Bukauskas writes: > Hello, > > I'm having an affair with one of the vendors as a sending MTA, honoring MTA- > STS (RFC 8461). Their response: > > > > > • Our TDS validation shows MX lookup for n0.lt returns n0.lt instead of > mx.n0.lt. It is consistent with what we are seeing with production. MX lookup for n0.lt. returns mx.n0.lt. n0.lt. 269 IN MX 10 mx.n0.lt. The CNAME comes from A and AAAA lookups on mx.n0.lt. That's my understanding of how DNS works. If you look up a record, and there's a CNAME for it, you get the CNAME then the record for the alias (if trusted, else the onus is on you to rerun the query). If you look up a record and it exists, you get it. Whether the name is another hostname, and that hostname has a CNAME alias, that's not the road that's been traveled, yet. >> Selecting an MX target host is regulated in a different RFC, namely and >> specifically in <URL:https://tools.ietf.org/html/rfc5321#section-5.1>RFC >> 5321 §5.1: I don't see this as an MX selection issue but as an STS validation issue. My stack agrees that the STS policy is valid. $ testmxlookup --dnssec n0.lt Domain n0.lt: STS: enforcing Relay: mx.n0.lt, Priority: 10, Address: ::ffff:188.166.32.32 (DNSSEC) Relay: mx.n0.lt, Priority: 10, Address: 2a03:b0c0:2:d0::d1b:a001 (DNSSEC) CNAME here involves the resolution of the mx.n0.lt hostname. The n0.lt resolves to mx.n0.lt. Everything here passes my interpretation of STS verification rules. > As advised by one of the authors of RFC 8461, I'm reaching out to the IETF > SMTP list for your opinions, namely if MTA-STS, in theory, should fail to > validate if an MX points to a CNAME. I see nothing in RFC 8461 that seems to disallow it. In fact, this statement seems rather unambiguous to me: 4.1. MX Host Validation A receiving candidate MX host is valid according to an applied MTA- STS Policy if the MX record name matches one or more of the "mx" fields in the applied policy. Matching is identical to the rules given in [RFC6125], The "MX" record here is: n0.lt. 300 IN MX 10 mx.n0.lt. That's the DNS record. And it squares up with the policy file. And the "Server Identify Check" portion in rfc6125 seems to prohibit using CNAME aliases for hostname validation: 2.4. Server Identity Check During the TLS negotiation, the client MUST check its understanding of the server hostname against the server's identity as presented in the server Certificate message, in order to prevent man-in-the-middle attacks. Matching is performed according to these rules: o The client MUST use the server hostname it used to open the connection as the value to compare against the server name as expressed in the server certificate. The client MUST NOT use any form of the server hostname derived from an insecure remote source (e.g., insecure DNS lookup). CNAME canonicalization is not done. This seems to be consistent with traditional certificate validation rules: www.yahoo.com. 60 IN CNAME new-fp-shed.wg1.b.yahoo.com. My browser is happy to load https://www.yahoo.com, and validate the certificate for the CN of www.yahoo.com, instead of this alphabet soup. An alternative interpretation here would have the result of the STS policy file validating n0.lt, but a TLS connection will need to validate a certificate for mx.n0.lt. In this case it wouldn't matter, the same cert works for both, but that doesn't quite add together, for me.
- [ietf-smtp] MTS-STS validation when MX host point… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Mark Andrews
- Re: [ietf-smtp] MTS-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTA-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTA-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Hector Santos
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] CNAME considered harmful, was MTS… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Arnt Gulbrandsen
- Re: [ietf-smtp] CNAME considered harmful, was MTS… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Mark Andrews
- Re: [ietf-smtp] on liberality, was MTS-STS_valida… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] on liberality, was MTS-STS_valida… Dave Crocker
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Bron Gondwana
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Arnt Gulbrandsen
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas