Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Bron Gondwana <> Tue, 06 April 2021 07:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1BAF43A1273 for <>; Tue, 6 Apr 2021 00:17:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.819
X-Spam-Status: No, score=-2.819 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=l/2J3oSv; dkim=pass (2048-bit key) header.b=bFRscEE3
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JifF7PhP1GPN for <>; Tue, 6 Apr 2021 00:16:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 130F23A126E for <>; Tue, 6 Apr 2021 00:16:58 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id E77D45C0103 for <>; Tue, 6 Apr 2021 03:16:57 -0400 (EDT)
Received: from imap41 ([]) by compute2.internal (MEProxy); Tue, 06 Apr 2021 03:16:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=mime-version:message-id:in-reply-to :references:date:from:to:subject:content-type; s=fm2; bh=RCsrEh3 IIyP9Gbc8D4wPzsgd8NcSoGnYZHxStpkv+vw=; b=l/2J3oSvm+lt3UdV0c2kYib epo/GXhSTfdf7k3wjkHAsSWuYOlJeI3CvMEUDW5MJfc4kIGwZ1Cdgw3/AadYgC6z kaBodYbxm3qv5gYk3C0DX8LZBZ/BDh8dpwz5ORl9R5HXmdB3FOk7OmaJwz5Si+My Y+RDaeAYpWfuq7RQ1/Gnk46XqQ54BqXYnRcEHlUybcTk90VTIMJvVLQ5ckSBIKpp Bky28Qo8knpqvVNyNNVz5yewhNA2r4NTHItxI5SWMzADmyp42V/YkNT9UziCyjzu xt/Ff+/KscHK9lDM+OK5AGOAekwHkFJcVmFq6TTmqaiEDe8CLpTqydccfEVOx6g= =
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=RCsrEh 3IIyP9Gbc8D4wPzsgd8NcSoGnYZHxStpkv+vw=; b=bFRscEE3jxKcAVNj7+o51m Q/+GOkT2w68fN8kzUOCBLxI9ke6j+uUDDp6Iafnu0NoMCYneMFUQbs9IaDrlJPG1 /ht4cOXAUm4dc2dCVA0bvWVVGgKEN0HBZh2uLFN36za5Za0NjuOpC0c5uiFo4sbG WuqVDspEdVdFxAEZUAK/6wzmqvCJelTlHS8vzZzPXPoPTx3ByVtHhtUs3QeLWR64 U+afc5uJ11XityOqKxscJfzXj1RYupv1cKPoK9ZxUVWuPCi6dMksk0Fo+mXTx/13 N1oZnPsG3Ohac03Eq4hAclQiDTVNGrWoCY+PXudx0Zc/FTiidwyqkWCOqGNrkfLw ==
X-ME-Sender: <xms:6QpsYOI-Fz4pWo7xI7ZEIHlkzHg_l1LrxOPY33nlfQSKL2g54Qxvkw> <xme:6QpsYGLuso5r77AUA4rHyLzpV1q9odbWfvVktOPDtclhpUXxuV---l3WEgsV0uWIk fB4PTUnaJ8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudejfedguddulecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrg dtreerreerjeenucfhrhhomhepfdeurhhonhcuifhonhgufigrnhgrfdcuoegsrhhonhhg sehfrghsthhmrghilhhtvggrmhdrtghomheqnecuggftrfgrthhtvghrnheptdehteegfe evteduffevteehfffghefhvdevkeeuhfehueetudehgfegieekjeetnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepsghrohhnghesfhgrshhtmh grihhlthgvrghmrdgtohhm
X-ME-Proxy: <xmx:6QpsYOvjEzoX4lT3Bn4QZvGn95TVxxdVTPu_TrHkbbZSNHRSqcwoVQ> <xmx:6QpsYDaZxMQzWMNbUQFKL_f9MEw6PDRvMgh-cyQ1HeIPmn7BzHRnhA> <xmx:6QpsYFaEZ7emC6uA7u_dBWZhWOPsVQhPNhCUuBy6hGKgCHL0jfjiKA> <xmx:6QpsYOnjB3IDp3NA9XKJU2oEOWKdOWMzxuzKUDMH6RL9oitsMHI-Mg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 555322600061; Tue, 6 Apr 2021 03:16:57 -0400 (EDT)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-273-g8500d2492d-fm-20210323.002-g8500d249
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5> <> <> <BE4982F24C6848D1624C4D1D@JcK-HP5> <>
Date: Tue, 06 Apr 2021 17:16:36 +1000
From: "Bron Gondwana" <>
Content-Type: multipart/alternative; boundary=31f111af9b07403897e53777d9c57f4a
Archived-At: <>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Apr 2021 07:17:05 -0000

On Mon, Apr 5, 2021, at 08:26, Kristijonas Lukas Bukauskas wrote:
> But at the same time, I believe it's not too much to ask for from 
> Microsoft to either send messages to MXs that point to CNAMEs or at 
> least report errors correctly. They are huge. They can handle that.

This world view will not serve you well.

My view: Microsoft are big therefore they have no need to test with weird error cases because others will work around even their egregious bugs, let alone their imperfect handling of error conditions.

Also it's harder to get support for making any change in a large organisation without giving a good reason, and "Kristijonas wants it" isn't on the management approved list of good reasons.

It's not an ideal world, but we don't live in an ideal world.  We live in a real world, and in the real world "Microsoft are huge so they can handle the cost of doing what I want them to do" only works if you have a significant enough stick to incentivise them to do so.



  Bron Gondwana, CEO, Fastmail Pty Ltd