Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

[Kristijonas Lukas Bukauskas <kr@n0.lt>]

On 2021-04-04 23:53, John C Klensin wrote:

> (2) With regard to both the above and the note Kristijonas
> posted a few minutes ago, if RFC 8461 says anything that appears
> to contradict the above, it is a bug and those who care should
> be generating errata or, better yet, working on an update.  8461
> can --at least as long as it is consistent with other deployed
> specs-- say anything it likes about certificates, where they
> come from, and how they are validated.  But, it is can be read
> as encouraging violation of 5321 in a specification that is
> clearly about SMTP, that is bad news.

What is MTA-STS when in enforce mode?

> "enforce": In this mode, Sending MTAs MUST NOT deliver the
>      message to hosts that fail MX matching or certificate validation
>      or that do not support STARTTLS.


1) failed MX matching, as per section 4.1;
2) failed certificate validation, as per section 4.2
3) a host doesn't support STARTTLS

Those seem to be the only reasons that a Sending MTA honoring MTA-STS 
MAY and MUST NOT deliver the messages when sending to an MX at a domain 
for which the sender has a valid and non-expired MTA-STS Policy, as 
least per MTA-STS, and to the best of my knowledge.

Can there exist other reasons, not related to MTA-STS, that allows or 
obliges the sending MTA not to deliver messages? It sure can. Is MX 
pointing to CNAME one of them?

Other than interpreting the:

> Any other response, specifically including a value that will return a
>   CNAME record when queried, lies outside the scope of this Standard.

as “It is your problem if the target of the MX refers to a CNAME
and things break"

-- is it explicitly standardized what MTA should do with such MX 
records/hosts when delivering mail?
If not, can an MTA do whatever and report it as an MTA-STS validation 
error when it's not?

On 2021-04-05 00:23, John R Levine wrote:
> You might also consider that some of the people you're arguing with
> have been writing standards documents since before you were born, so
> perhaps they have some experience worth learning from.

My apologies if I sound(ed) cocky. I am really grateful for everyone's 
thoughts. Without a shadow of a doubt, all the responses are valuable to 
me and they will encourage me to keep reading RFCs more carefully and to 
comply with them. After all, it is not fair to ask of others what you 
are not willing to do yourself. :)

But at the same time, I believe it's not too much to ask for from 
Microsoft to either send messages to MXs that point to CNAMEs or at 
least report errors correctly. They are huge. They can handle that.

Thank's everyone!

--
Warm regards,
Kristijonas

       __            /^\
     .'  \          / :.\
    /     \         | :: \
   /   /.  \       / ::: |
  |    |::. \     / :::'/
  |   / \::. |   / :::'/
  `--`   \'  `~~~ ':'/`
          /         (
         /   0 _ 0   \
       \/     \_/     \/
     -== '.'   |   '.' ==-
       /\    '-^-'    /\
         \   _   _   /
        .-`-((\o/))-`-.
   _   /     //^\\     \   _
."o".(    , .:::. ,    )."o".
|o  o\\    \:::::/    //o  o|
  \    \\   |:::::|   //    /
   \    \\__/:::::\__//    /
    \ .:.\  `':::'`  /.:. /
     \':: |_       _| ::'/
  jgs `---` `"""""` `---`

Happy Easter!