Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Kristijonas Lukas Bukauskas <> Sun, 04 April 2021 18:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EA2303A1366 for <>; Sun, 4 Apr 2021 11:07:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hv3CBQgdAqXs for <>; Sun, 4 Apr 2021 11:07:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 53EE13A1364 for <>; Sun, 4 Apr 2021 11:07:36 -0700 (PDT)
Received: from (localhost.localdomain [IPv6:::1]) by (Postfix) with ESMTPSA id D13BDFC4C3; Sun, 4 Apr 2021 18:07:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1617559648; bh=90Q48HMARuKpABMYcRPTGCY3ceKbXRB3XknpHodKp6E=; h=From:To:Subject; b=F3pLnOVa7NRzctjaZz6dCC7dBn1ejuW8v9QffbLdcEYN1vR2HpPJ/BADjwS2wQOGh g0gM11t2AomZeAiI1Uwtmg+wYcm+vsVFmydqFaFFhgop4nVRnxK84AU9VJN6RtNDaI BHoMuyM+47EDR3YkqYgRNRiGtaF1rjEwjxztj9fQ=
Authentication-Results: ixion; spf=pass (sender IP is ::1)
Received-SPF: pass (ixion: connection is authenticated)
MIME-Version: 1.0
Date: Sun, 04 Apr 2021 21:07:28 +0300
From: Kristijonas Lukas Bukauskas <>
To: John C Klensin <>
Cc: John Levine <>,,
In-Reply-To: <70B5B7CCF6D64FBA195CCAA5@JcK-HP5>
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <>
Content-Type: multipart/alternative; boundary="=_182d1e2d2d41f16f47bf25c88c0bd208"
Archived-At: <>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 04 Apr 2021 18:07:42 -0000

On 2021-04-04 18:00, John C Klensin wrote:

> But the bottom line here, as John and others have suggested, is
> that the right answer to the question in the subject line is
> that an SMTP sender encountering an MX record whose DATA points
> to a CNAME (or anything other than an address record) should
> just treat the message as undeliverable, a popular
> implementation or two notwithstanding.  And worrying about
> validating the clearly invalid just does not make a lot of sense.

Shouldn't an MTA-STS validator do *exactly* what RFC8461, section 4.1 
says: if the *MX record name* matches one or more of the "mx" fields in 
the applied policy, a receiving candidate MX host is *valid* according 
to an applied MTA-STS Policy? And thus, MX Host Validation passes, even 
if the MX record itself is otherwise invalid. Match the MX record name 
against "mx" fields in the applied policy. That's it. Conditions to pass 
validation here are exhaustive, not inclusive, even if a Sending MTA 
honoring MTA-STS might not like that, and even if it wants to be less 
liberal or whatever. Exhaustive conditions were met -- validation