On 2021-04-02 18:09, Hector Santos wrote:
If the receiver administrative policy is causing a pain and they don't
see that you may not be the only one with MX->CNAME records and they
do exist, they won't make an exception, then you're only left with one
thing - comply with the 2181 specification.
This is the their recent response:
As my colleagues who investigated this issued communicated, our
position is that this is primarily due
to what we believe to be a non-RFC compliant MX record.
Regardless of the liberal acceptance of this for regular mail, in this
case, our implementation of MTA-
STS is not as liberal.
Treating this as a feature request to support such behaviour leads us
to evaluate the importance of such work. Viktor's numbers (~0.3% +/-
0.1% of MX records are CNAMEs) clearly shows this is not an urgent or
critical matter threatening the ecosystem and deployment of MTA-STS and
therefore we have rejected the
request.
I urge you to fix your MX record.
I still have a concern regarding an error returned in their aggregated
TLS report:
{"organization-name":"Microsoft
Corporation","date-range":{"start-datetime":"2021-03-31T00:00:00Z","end-
datetime":"2021-03-31T23:59:59Z"},"contact-info":"tlsrpt-noreply(_at_)microsoft(_dot_)com","report-
id":"132617776923269755+n0.lt","policies":[{"policy":{"policy-type":"sts","policy-string":["version:
STSv1","mode: enforce","mx: mx.n0.lt","max_age:
84600"],"policy-domain":"n0.lt"},"summary":{"total-
successful-session-count":0,"total-failure-session-count":36},"failure-details":[{"result-
type":"certificate-host-mismatch","failed-session-count":36}]}]}
Is this a correct error to return, even if with CNAME/MX? (SANs are
n0.lt and *.n0.lt in my cert.)
"certificate-host-mismatch": This indicates that the certificate
presented did not adhere to the constraints specified in the MTA-
STS or DANE policy, e.g., if the MX hostname does not match any
identities listed in the subject alternative name (SAN) [RFC5280]
[https://tools.ietf.org/html/rfc8460#section-4.3.1]
Good luck with your affair!! <g>
Thank you! :)
--
Regards,
Kristijonas
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp