Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Kristijonas Lukas Bukauskas <> Tue, 06 April 2021 20:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A49143A2EA1 for <>; Tue, 6 Apr 2021 13:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cpJjJN70DI19 for <>; Tue, 6 Apr 2021 13:04:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2225E3A2EA5 for <>; Tue, 6 Apr 2021 13:04:55 -0700 (PDT)
Received: from (localhost.localdomain [IPv6:::1]) by (Postfix) with ESMTPSA id 67B7BFC204; Tue, 6 Apr 2021 20:04:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1617739488; bh=wXa9GG4N56JtJAm4qQbt+GDLj9cu9FTYXWTO6IWxXmA=; h=From:To:Subject; b=n1LvW0C3R2P7hDLEsYQ59XbSlC9t2QacJe9kpueQN4AApQjxFIry+Ot8EQYy9o2WJ HDEIwTR9bwvRlwCh9ZIKrbF1qq40KO6g+CTzqxCvLNZVfikoZANBLffSzZphgG4JMP v/ge3LWizwWRnK6d+/K9CZlSAKqddAm/e/DHEDMA=
Authentication-Results: ixion; spf=pass (sender IP is ::1)
Received-SPF: pass (ixion: connection is authenticated)
MIME-Version: 1.0
Date: Tue, 06 Apr 2021 23:04:48 +0300
From: Kristijonas Lukas Bukauskas <>
To: Bron Gondwana <>
In-Reply-To: <>
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5> <> <> <BE4982F24C6848D1624C4D1D@JcK-HP5> <> <>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Apr 2021 20:05:00 -0000

On 2021-04-06 10:16, Bron Gondwana wrote:

> It's not an ideal world, but we don't live in an ideal world.  We live 
> in a real world, and in the real world "Microsoft are huge so they can 
> handle the cost of doing what I want them to do" only works if you have 
> a significant enough stick to incentivise them to do so.

I believe O365 clients of *paid* services could argue this is a breach 
of the contract. A client wants to deliver a message to Sending MTA misleadingly says: Receiving MTA of has the problem A (MTA-STS validation failed), that's 
why we can't provide you a service you paid for. If that's not the case 
(and I suppose it's not: RFC8461, section 4.1 defines MX host Validation 
by matching MX record *name* against MTA-STS policy; the end).

Things are more complicated, I believe, and it depends on the 
jurisdiction(s), but when refusing to provide a paid service, I'd see 
the correct error reporting as a minimum requirement: by either showing 
generic or more specific errors, but never misleading ones.

That's more of a legal question though.