Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> Tue, 06 April 2021 20:33 UTC

Return-Path: <arnt@gulbrandsen.priv.no>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E1EF3A2FA1 for <ietf-smtp@ietfa.amsl.com>; Tue, 6 Apr 2021 13:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gulbrandsen.priv.no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SmrU8llH6DJl for <ietf-smtp@ietfa.amsl.com>; Tue, 6 Apr 2021 13:33:32 -0700 (PDT)
Received: from stabil.gulbrandsen.priv.no (stabil.gulbrandsen.priv.no [IPv6:2a01:4f8:191:91a8::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C10A3A2F9F for <ietf-smtp@ietf.org>; Tue, 6 Apr 2021 13:33:31 -0700 (PDT)
Received: from stabil.gulbrandsen.priv.no (stabil.gulbrandsen.priv.no [IPv6:2a01:4f8:191:91a8::3]) by stabil.gulbrandsen.priv.no (Postfix) with ESMTP id 618E6C0072; Tue, 6 Apr 2021 21:41:06 +0100 (IST)
Authentication-Results: stabil.gulbrandsen.priv.no; dmarc=none (p=none dis=none) header.from=gulbrandsen.priv.no
Authentication-Results: stabil.gulbrandsen.priv.no; spf=none smtp.mailfrom=arnt@gulbrandsen.priv.no
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gulbrandsen.priv.no; s=mail; t=1617741666; bh=ba6Yg/Wx5LSXEFW0bmyJ6s/9sheHu94wx92t5ABB3lw=; h=From:To:Subject:Date:In-Reply-To:References:From; b=ZunH1wxdOcIG9zGosaeNmMI5NfUEtsY/XsXlaevTFwBeIqe7sRDzPwK2Pr9om+9CN Yc2Pg3xs9WlN/LVP1vCSk+5CcLmz/ag/0K73TLqGoDb7QIEsicU5S7oXI00IGoQqIY AVoymfwTHhkqzaAlJfHMdB8wt8zL08RnX+m0xsHM=
Received: from arnt@gulbrandsen.priv.no by stabil.gulbrandsen.priv.no (Archiveopteryx 3.2.0) with esmtpsa id 1617741665-23911-23908/9/31; Tue, 6 Apr 2021 20:41:05 +0000
From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
To: ietf-smtp@ietf.org
Date: Tue, 6 Apr 2021 22:33:28 +0200
Mime-Version: 1.0
Message-Id: <31d4e036-8a37-4ac7-bee0-194f33a09daf@gulbrandsen.priv.no>
In-Reply-To: <741de85508e5d4d8622ccb178bc82fbf@n0.lt>
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5> <e87c4a27cb86ec5b32f0539754c341f3@n0.lt> <a232c63-bf8-2371-51e1-b64d119ad55d@taugh.com> <BE4982F24C6848D1624C4D1D@JcK-HP5> <2a09c64747a5c027c2655671ada3b3f8@n0.lt> <71ceffea-7837-4502-9eff-929008b032c5@dogfood.fastmail.com> <741de85508e5d4d8622ccb178bc82fbf@n0.lt>
User-Agent: Trojita/0.7; Qt/5.11.3; xcb; Linux; Devuan GNU/Linux 3 (beowulf)
Content-Type: text/plain; charset=utf-8; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/eanIMFdsiUqjpsp-a-Xw_-KCsGU>
Subject: Re: [ietf-smtp] =?iso-8859-1?q?MTS-STS_validation_when_MX_host_point?= =?iso-8859-1?q?s_to_a_CNAME=2C_violating_RFC_2181_=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 20:33:37 -0000

On Tuesday 6 April 2021 22:04:48 CEST, Kristijonas Lukas Bukauskas wrote:
> I believe O365 clients of *paid* services could argue this is a 
> breach of the contract. A client wants to deliver a message to 
> user@example.com. Sending MTA misleadingly says: Receiving MTA 
> of user@example.com has the problem A (MTA-STS validation 
> failed), that's why we can't provide you a service you paid for. 
> If that's not the case (and I suppose it's not: RFC8461, section 
> 4.1 defines MX host Validation by matching MX record *name* 
> against MTA-STS policy; the end).

Look it up and quote chapter and verse, please. I don't see anything of the 
kind. I do see wording in "my" enterprise documentation that IMO suggests a 
required ability to send to working sites, but nothing that requires 
Microsoft to provide a correct analysis of what is broken at sites outside 
Microsoft's control.

Arnt