--On Sunday, 04 April, 2021 14:17 -0400 John R Levine
<johnl(_at_)taugh(_dot_)com> wrote:
On Sun, 4 Apr 2021, Kristijonas Lukas Bukauskas wrote:
Shouldn't an MTA-STS validator do *exactly* what RFC8461,
section 4.1 says:
That's not how standards work. If you follow the standard,
you should be able to interoperate with other people that
follow it. If you don't, the results are unpredictable. We
don't try to anticipate every possible mistake both because it
is a waste of time and because it is impossible. I suppose it
would be nice if Microsoft sent a better error message but
that's not a bug I can get very excited about.
You know that pointing your MX at a CNAME is a mistake, so
it'll fail at random. It's a somewhat common mistake, but
it's still a mistake. If it were me, I would fix it and move
on.
Agreed and let me make two small additions:
(1) I agree enthusiastically with your earlier "doctor, it hurts
when I do this" comment and the response. It is clear, as you
suggest above, that having an MX record pointing to a name
associated with a CNAME (or, for that matter, anything but an
address record) is going to fail with some systems. How many,
which ones, and how the failures occur is unimportant (which is
almost exactly with 5321 says in standard-ese).
(2) With regard to both the above and the note Kristijonas
posted a few minutes ago, if RFC 8461 says anything that appears
to contradict the above, it is a bug and those who care should
be generating errata or, better yet, working on an update. 8461
can --at least as long as it is consistent with other deployed
specs-- say anything it likes about certificates, where they
come from, and how they are validated. But, it is can be read
as encouraging violation of 5321 in a specification that is
clearly about SMTP, that is bad news.
john
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp