ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

2021-04-02 11:00:25
from [Kristijonas Lukas Bukauskas] [Permanent Link] 
On 2021-04-02 18:09, Hector Santos wrote:


If the receiver administrative policy is causing a pain and they don't
see that you may not be the only one with MX->CNAME records and they
do exist, they won't make an exception, then you're only left with one
thing - comply with the 2181 specification.


This is the their recent response:
As my colleagues who investigated this issued communicated, our position is that this is primarily due 
to what we believe to be a non-RFC compliant MX record.
Regardless of the liberal acceptance of this for regular mail, in this case, our implementation of MTA- 
STS is not as liberal.
Treating this as a feature request to support such behaviour leads us to evaluate the importance of such work. Viktor's numbers (~0.3% +/- 0.1% of MX records are CNAMEs) clearly shows this is not an urgent or critical matter threatening the ecosystem and deployment of MTA-STS and therefore we have rejected the 
request.
I urge you to fix your MX record.
I still have a concern regarding an error returned in their aggregated TLS report:
{"organization-name":"Microsoft Corporation","date-range":{"start-datetime":"2021-03-31T00:00:00Z","end- 
datetime":"2021-03-31T23:59:59Z"},"contact-info":"tlsrpt-noreply(_at_)microsoft(_dot_)com","report-
id":"132617776923269755+n0.lt","policies":[{"policy":{"policy-type":"sts","policy-string":["version:
STSv1","mode: enforce","mx: mx.n0.lt","max_age: 84600"],"policy-domain":"n0.lt"},"summary":{"total- 
successful-session-count":0,"total-failure-session-count":36},"failure-details":[{"result-
type":"certificate-host-mismatch","failed-session-count":36}]}]}
Is this a correct error to return, even if with CNAME/MX? (SANs are n0.lt and *.n0.lt in my cert.) 


"certificate-host-mismatch": This indicates that the certificate
presented did not adhere to the constraints specified in the MTA-
STS or DANE policy, e.g., if the MX hostname does not match any
identities listed in the subject alternative name (SAN) [RFC5280]

 [https://tools.ietf.org/html/rfc8460#section-4.3.1]


Good luck with your affair!! <g>


Thank you! :)

--
Regards,
Kristijonas
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Hector Santos
Next by Date:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Viktor Dukhovni
Previous by Thread:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Hector Santos
Next by Thread:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Viktor Dukhovni
Indexes:  [Date] [Thread] [Top] [All Lists]