ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

2021-04-02 15:50:59
from [Kristijonas Lukas Bukauskas] [Permanent Link] 
On 2021-04-02 21:54, Viktor Dukhovni wrote:
On Fri, Apr 02, 2021 at 07:00:05PM +0300, Kristijonas Lukas Bukauskas wrote: 


{
"organization-name": "Microsoft Corporation",
"date-range": {
"start-datetime": "2021-03-31T00:00:00Z",
"end-datetime": "2021-03-31T23:59:59Z"
},
"contact-info": "tlsrpt-noreply(_at_)microsoft(_dot_)com",
"report-id": "132617776923269755+n0.lt",
"policies": [
{
"policy": {
"policy-type": "sts",
"policy-string": [
"version: STSv1",
"mode: enforce",
"mx: mx.n0.lt",
"max_age: 84600"
],
"policy-domain": "n0.lt"
},
"summary": {
"total-successful-session-count": 0,
"total-failure-session-count": 36
},
"failure-details": [
{
"result-type": "certificate-host-mismatch",
"failed-session-count": 36
}
]
}
]
}

Is this a correct error to return, even if with CNAME/MX? (SANs are
n0.lt and *.n0.lt in my cert.)


The error indicated is indeed misleading, since the problem appears
to rather be a mismatch between the CNAME-expanded MX hostname and
the "mx: " field of the MTA-STS policy.  The certificate matches
either name, so isn't plausibly the problem:

mx.n0.lt. IN CNAME n0.lt.
n0.lt. IN A 188.166.32.32
So that's the failed MX Host Validation, as described in [RFC8461], section 4.1, that sending MTA seems to claim to be the problem. Correct? 


A receiving candidate MX host is valid according to an applied MTA-
STS Policy if the *MX record name* matches one or more of the "mx"
fields in the applied policy.  Matching is identical to the rules
given in [RFC6125], with the restriction that the wildcard character
'*' may only be used to match the entire left-most label in the
presented identifier.  Thus, the mx pattern "*.example.com" matches
"mail.example.com" but not "example.com" or "foo.bar.example.com".
If so, what error should the reporter use, as per [RFC8460], in an aggregated TLS report? 

validation-failure?
However, as a receiving system, in the meantime, you can do yourself and 
everyone else a favour by changing your DNS to avoid the CNAME.
Will do, immediately after the sending MTA finishes their testing (a few support teams at the sending MTA still work on my support tickets). 

Please accept my deepest thanks for your professionalism and guidance.

--
Regards,
Kristijonas
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Viktor Dukhovni
Next by Date:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Viktor Dukhovni
Previous by Thread:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Viktor Dukhovni
Next by Thread:  Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3, Viktor Dukhovni
Indexes:  [Date] [Thread] [Top] [All Lists]