ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

2021-04-04 15:48:18
On 2021-04-04 21:17, John R Levine wrote:

On Sun, 4 Apr 2021, Kristijonas Lukas Bukauskas wrote:

Shouldn't an MTA-STS validator do *exactly* what RFC8461, section 4.1 says:

That's not how standards work.  If you follow the standard, you should
be able to interoperate with other people that follow it.  If you
don't, the results are unpredictable.  We don't try to anticipate
every possible mistake both because it is a waste of time and because
it is impossible. I suppose it would be nice if Microsoft sent a
better error message but that's not a bug I can get very excited
about.

You know that pointing your MX at a CNAME is a mistake, so it'll fail
at random.  It's a somewhat common mistake, but it's still a mistake.
If it were me, I would fix it and move on.

I would disagree. Standards are and/or supposed to be well defined. Any implicit or implied reasoning based on emotions or vendor's whatever value system (being less or more liberal) while interpreting them should be avoided unless that is inevitably necessary. That's what standards are for. MUST is normally added, when an absolute requirement, sometimes with a reference to another RFC if needed. For example:

Policy bodies are, as described above, retrieved by Sending MTAs via
HTTPS [RFC2818].  During the TLS handshake initiated to fetch a new
or updated policy from the Policy Host, the Policy Host HTTPS server
MUST present an X.509 certificate that is valid for the "mta-sts"
DNS-ID [RFC6125] (e.g., "mta-sts.example.com") as described below,
chain to a root CA that is trusted by the Sending MTA, and be non-
expired.

[RFC 8461, Section 3.3]

One could argue that it would be reasonable to imply that the chain to a Root CA has to be trusted by the Sending MTA and be non-expired. In the world of standards, you can't do that. Unless there is a MUST. If it's not explicitly defined as a requirement for some specific outcome, it isn't one for that outcome.

And that applies to you, even if you are as huge as Microsoft.

--

Regards,
Kristijonas
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
<Prev in Thread] Current Thread [Next in Thread>