Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Sam Varshavchik <mrsam@courier-mta.com> Thu, 01 April 2021 22:37 UTC

Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 935CF3A2620 for <ietf-smtp@ietfa.amsl.com>; Thu, 1 Apr 2021 15:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UorQSL3xWE6z for <ietf-smtp@ietfa.amsl.com>; Thu, 1 Apr 2021 15:37:52 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DFC13A261F for <ietf-smtp@ietf.org>; Thu, 1 Apr 2021 15:37:51 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8SMTPS id 00000000002C0013.0000000060664B3B.0000ED1F; Thu, 01 Apr 2021 18:37:47 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 000000000001E4FF.0000000060664B3A.00020FB0; Thu, 01 Apr 2021 18:37:46 -0400
References: <20210401003023.713A871BE253@ary.qy> <d8768a088e2e9b73682e3d9bdbb372d9@n0.lt> <b2acacaa-5bed-e332-1855-6ef0183cf42@taugh.com> <464756802f3425cb53c3be6392af4390@n0.lt> <87c820e7-e6be-97e6-2589-88e5c57b6ddd@taugh.com> <127546c1b90816191cf8e5389c37bb47@n0.lt>
Message-ID: <cone.1617316666.481137.120939.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Thu, 01 Apr 2021 18:37:46 -0400
Mime-Version: 1.0
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-120939-1617316666-0003"; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/rwa_lvo7je7sqK4sjVo_Slzg0jw>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 22:37:54 -0000

Kristijonas Lukas Bukauskas writes:

> * - the domain I have with them for testing purposes.
>
> Viktor Dukhovi and Sam Varshavchik have already provided their detailed  
> viewpoints which will help me a lot to continue working with the support of  
> this sending MTA. 

My viewpoints are somewhat dated. The persona-non-grata status of MXs  
pointing to CNAMEs – that verbiage appears to be new to the current SMTP  
standard, I checked and did not find any equivalent language in the prior  
one; so my implementation reflected that.

Be it as it may. I do not see any technical issues with MXs pointing to  
CNAMEs, except that an additional lookup is required to resolve the CNAME in  
most cases. If this is not within the scope of the current standard, then I  
would not set up my domains like that.