[Top] [All Lists]

Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

2021-03-31 20:14:50
On 2021-04-01 03:30, John Levine wrote:

Quite right.

"Doctor, doctor, it hurts when I do this."

"So don't do that."

Thank you for your position on the subject. :)

I'm _not_ advocating for MXs to point to CNAMEs because that's prohibited. You're right they mustn't be used. My question was different. To rephrase it: if MTA-STS validation should fail solely based on that, and whether such behavior of a Sending MTA honoring MTA-STS would be in accordance with RFC 8461.

By the way, from the last TLSRPT:

{"organization-name":"Microsoft Corporation","date-range":{"start-datetime":"2021-03-30T00:00:00Z","end-datetime":"2021-03-30T23:59:59Z"},"contact-info":"tlsrpt-noreply(_at_)microsoft(_dot_)com","report-id":"","policies":[{"policy":{"policy-type":"sts","policy-string":["version: STSv1","mode: enforce","mx:","max_age: 84600"],"policy-domain":""},"summary":{"total-successful-session-count":0,"total-failure-session-count":492},"failure-details":[{"result-type":"certificate-host-mismatch","failed-session-count":492}]}]}

Do they complain about the certificate which includes both and * anyways?

My questions here are being of an aim to discuss and for interpretation of RFC(s) [especially RFC 8461] purpose only. :)

ietf-smtp mailing list