[Top] [All Lists]

Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

2021-03-31 21:27:50
On 2021-04-01 04:41, John R Levine wrote:

IETF standards tell you what to do to interoperate.  They generally
don't tell you what to do when some part of a system doesn't follow
the spec.

Thank you for your clarification.

By the way, from the last TLSRPT:

{"organization-name":"Microsoft Corporation","date-range":{"start-datetime":"2021-03-30T00:00:00Z","end-datetime":"2021-03-30T23:59:59Z"},"contact-info":"tlsrpt-noreply(_at_)microsoft(_dot_)com","report-id":"","policies":[{"policy":{"policy-type":"sts","policy-string":["version: STSv1","mode: enforce","mx:","max_age: 84600"],"policy-domain":""},"summary":{"total-successful-session-count":0,"total-failure-session-count":492},"failure-details":[{"result-type":"certificate-host-mismatch","failed-session-count":492}]}]} Do they complain about the certificate which includes both and * anyways?

Even without the CNAME error, why would it do that?  The cert matches
the name of the MX.

So certificate-host-mismatch here should be understood that EITHER §4.1 [1] (MX Host Validation) OR §4.2 [2] (Recipient MTA Certificate Validation) failed and not that, according to the report, the certificate hostname mismatched? Or what exactly?


ietf-smtp mailing list