Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Kristijonas Lukas Bukauskas <kr@n0.lt> Tue, 06 April 2021 22:44 UTC

Return-Path: <kr@n0.lt>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6BC3A3417 for <ietf-smtp@ietfa.amsl.com>; Tue, 6 Apr 2021 15:44:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=n0.lt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCEkhP7fFpB6 for <ietf-smtp@ietfa.amsl.com>; Tue, 6 Apr 2021 15:44:10 -0700 (PDT)
Received: from ixion.n0.lt (ixion.n0.lt [188.166.32.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F9B03A3411 for <ietf-smtp@ietf.org>; Tue, 6 Apr 2021 15:44:10 -0700 (PDT)
Received: from webmail.n0.lt (localhost.localdomain [IPv6:::1]) by ixion.n0.lt (Postfix) with ESMTPSA id 41420FC204; Tue, 6 Apr 2021 22:44:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=n0.lt; s=default; t=1617749048; bh=q3z/JRNmjirrVBA/eGOkFE6dTNgHokc6/Ha3noPxPl0=; h=From:To:Subject; b=WpcsC5ZkjUxD7OqOKUwR5/QI8yFilPIc78l0DrcWllgjVN50bilFmaI2mjkp7Onfw sIqN8MRM+/olfIjpeoxSvytR8fGqwA1J5x1uTdrR0UtTkSh/+Vl6mUxozwCpEdsZEZ 1qD6z52LWF1gAMwGe8oOWxxGIxPvW5hG+kRWqgSg=
Authentication-Results: ixion; spf=pass (sender IP is ::1) smtp.mailfrom=kr@n0.lt smtp.helo=webmail.n0.lt
Received-SPF: pass (ixion: connection is authenticated)
MIME-Version: 1.0
Date: Wed, 07 Apr 2021 01:44:08 +0300
From: Kristijonas Lukas Bukauskas <kr@n0.lt>
To: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
Cc: ietf-smtp@ietf.org
In-Reply-To: <31d4e036-8a37-4ac7-bee0-194f33a09daf@gulbrandsen.priv.no>
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5> <e87c4a27cb86ec5b32f0539754c341f3@n0.lt> <a232c63-bf8-2371-51e1-b64d119ad55d@taugh.com> <BE4982F24C6848D1624C4D1D@JcK-HP5> <2a09c64747a5c027c2655671ada3b3f8@n0.lt> <71ceffea-7837-4502-9eff-929008b032c5@dogfood.fastmail.com> <741de85508e5d4d8622ccb178bc82fbf@n0.lt> <31d4e036-8a37-4ac7-bee0-194f33a09daf@gulbrandsen.priv.no>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <f78eb70a909a1d11629c9899223588dc@n0.lt>
X-Sender: kr@n0.lt
Content-Type: multipart/alternative; boundary="=_160e0ce7fedfa22dbfa88b8fb304f1f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/RNgQbRxTOp42VtuXa8JMVtr-_BM>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating_RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 22:44:15 -0000

On 2021-04-06 23:33, Arnt Gulbrandsen wrote:

> Look it up and quote chapter and verse, please. I don't see anything
> of the kind. I do see wording in "my" enterprise documentation that
> IMO suggests a required ability to send to working sites, but nothing
> that requires Microsoft to provide a correct analysis of what is
> broken at sites outside Microsoft's control.

[DISCLAIMER: I am not a lawyer. The following is not legal advice. Even 
if I was a lawyer, this discussion would not make me *your* lawyer, and 
this would still not be legal advice. This is only my interpretation of 
the law and opinion about some aspect thereof. Don't sue me if you do 
something unreasonable based on what I said; I disclaim all 
responsibility for your actions. Act at your own risk]

https://www.microsoft.com/en-us/servicesagreement:

> 8. APPLICABLE LAW.
> 
> a. United States and Canada. If you acquired the application in the 
> United States or
> Canada, the laws of the state or province where you live (or, if a 
> business, where your
> principal place of business is located) govern the interpretation of 
> these terms, claims
> for breach of them, and all other claims (including consumer 
> protection, unfair
> competition, and tort claims), regardless of conflict of laws 
> principles.
> b. Outside the United States and Canada. If you acquired the 
> application in any other
> country, the laws of that country apply.

> 9. LEGAL EFFECT.
> 
> This agreement describes certain legal rights. You may have other 
> rights under the laws of your state or country. This agreement doesn't 
> change your rights under
> the laws of your state or country if the laws of your state or country 
> don't permit it to do so.

Thus, the client has rights laid down in the agreement plus the rights 
in the laws of the corresponding country. A service provider has 
obligations laid down in the agreement and might have obligations set in 
the laws of a corresponding country.

For example, local law here in Lithuania (Article 6.200 of the Civil 
Code of the Republic of 
Lithuania)[https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/TAIS.245495]:

> Principles of performance of a contract
> 
> * A contract must be performed by the parties in a proper way and in 
> good faith.
> * In performing a contract, each party shall be bound to contribute to 
> and to
> cooperate with the other party.
> * The parties shall be bound to use the most economical means in the 
> performance of the contract.
> * Where according to a contract or its nature, a party in exercising 
> certain actions is bound to make the best effort in the performance of 
> a contract, this party shall be
> bound to make such effort as a reasonable person would make in the same 
> circumstances.

If a party (a service provider) of a contract is a professional in his 
field with extensive experience, also due to the nature of a contract 
(e-mail services), although it not reasonable to require the provider to 
examine internal third-party server errors or misconfiguration, it's 
reasonable to expect the provider to know why it cannot provide the 
service (why it fails to send out a message on its end), and if 
requested, to explain those reasons to a client (sender). Showing 
specific errors (as opposed to generic ones) suggests the service 
provider's choice to provide a piece of detailed information. Being a 
professional, the service provider that shows detailed but misleading 
information (a client usually being a weaker side of the contract and 
that's especially true when it is a natural person) cannot be considered 
as acting in a good faith while performing the contract.

That's my view.

--

Regards,
Kristijonas