Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Kristijonas Lukas Bukauskas <kr@n0.lt> Thu, 01 April 2021 01:14 UTC

Return-Path: <kr@n0.lt>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDCF13A0A2E for <ietf-smtp@ietfa.amsl.com>; Wed, 31 Mar 2021 18:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=n0.lt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbdSiVEiraJl for <ietf-smtp@ietfa.amsl.com>; Wed, 31 Mar 2021 18:14:34 -0700 (PDT)
Received: from ixion.n0.lt (ixion.n0.lt [188.166.32.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409083A0A29 for <ietf-smtp@ietf.org>; Wed, 31 Mar 2021 18:14:34 -0700 (PDT)
Received: from webmail.n0.lt (localhost.localdomain [IPv6:::1]) by ixion.n0.lt (Postfix) with ESMTPSA id E91D9FC1F2 for <ietf-smtp@ietf.org>; Thu, 1 Apr 2021 01:14:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=n0.lt; s=default; t=1617239670; bh=HYVW/HaQHcFTq0oOlqh7WJx7qn7ypPrugUUwCT38U/Y=; h=From:To:Subject; b=kktUecvt2FWI/cziAaNer0YAtdoKHe6293LSRA62Th9LyLB5SNqtKZYdnF5nVH/DI z+xWl5GL+RhjhtNPn/D4TLCTy++p79stjOn9Bfs9Hrps2pqKwzg0Faq9CsGEX8FvZ0 KjoqxmQ2EuJroDSeJmM18FcVdFuWsbdY3OwvEPdw=
Authentication-Results: ixion; spf=pass (sender IP is ::1) smtp.mailfrom=kr@n0.lt smtp.helo=webmail.n0.lt
Received-SPF: pass (ixion: connection is authenticated)
MIME-Version: 1.0
Date: Thu, 01 Apr 2021 04:14:29 +0300
From: Kristijonas Lukas Bukauskas <kr@n0.lt>
To: ietf-smtp@ietf.org
Reply-To: kr@n0.lt
In-Reply-To: <20210401003023.713A871BE253@ary.qy>
References: <20210401003023.713A871BE253@ary.qy>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <88a9c8fe66e4caf60e2fcf67efaa008f@n0.lt>
X-Sender: kr@n0.lt
Content-Type: multipart/alternative; boundary="=_b5b0adf0db7730c24af313e78a339b36"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/hYUrHZdkzM6ucy-8AUkdItlElIk>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 01:14:39 -0000

On 2021-04-01 03:30, John Levine wrote:

> Quite right.
> 
> "Doctor, doctor, it hurts when I do this."
> 
> "So don't do that."

Thank you for your position on the subject. :)

I'm _not_ advocating for MXs to point to CNAMEs because that's 
prohibited. You're right they mustn't be used. My question was 
different. To rephrase it: if MTA-STS validation should fail solely 
based on that, and whether such behavior of a Sending MTA honoring 
MTA-STS would be in accordance with RFC 8461.

By the way, from the last TLSRPT:

> {"organization-name":"Microsoft 
> Corporation","date-range":{"start-datetime":"2021-03-30T00:00:00Z","end-datetime":"2021-03-30T23:59:59Z"},"contact-info":"tlsrpt-noreply@microsoft.com","report-id":"132616914860181612+n0.lt","policies":[{"policy":{"policy-type":"sts","policy-string":["version: 
> STSv1","mode: enforce","mx: mx.n0.lt","max_age: 
> 84600"],"policy-domain":"n0.lt"},"summary":{"total-successful-session-count":0,"total-failure-session-count":492},"failure-details":[{"result-type":"certificate-host-mismatch","failed-session-count":492}]}]}

Do they complain about the certificate which includes both n0.lt and 
*.n0.lt anyways?

My questions here are being of an aim to discuss and for interpretation 
of  RFC(s) [especially RFC 8461] purpose only. :)

--
Regards,
Kristijonas