On 2021-04-04 23:53, John C Klensin wrote:
(2) With regard to both the above and the note Kristijonas
posted a few minutes ago, if RFC 8461 says anything that appears
to contradict the above, it is a bug and those who care should
be generating errata or, better yet, working on an update. 8461
can --at least as long as it is consistent with other deployed
specs-- say anything it likes about certificates, where they
come from, and how they are validated. But, it is can be read
as encouraging violation of 5321 in a specification that is
clearly about SMTP, that is bad news.
What is MTA-STS when in enforce mode?
"enforce": In this mode, Sending MTAs MUST NOT deliver the
message to hosts that fail MX matching or certificate validation
or that do not support STARTTLS.
1) failed MX matching, as per section 4.1;
2) failed certificate validation, as per section 4.2
3) a host doesn't support STARTTLS
Those seem to be the only reasons that a Sending MTA honoring MTA-STS
MAY and MUST NOT deliver the messages when sending to an MX at a domain
for which the sender has a valid and non-expired MTA-STS Policy, as
least per MTA-STS, and to the best of my knowledge.
Can there exist other reasons, not related to MTA-STS, that allows or
obliges the sending MTA not to deliver messages? It sure can. Is MX
pointing to CNAME one of them?
Other than interpreting the:
Any other response, specifically including a value that will return a
CNAME record when queried, lies outside the scope of this Standard.
as “It is your problem if the target of the MX refers to a CNAME
and things break"
-- is it explicitly standardized what MTA should do with such MX
records/hosts when delivering mail?
If not, can an MTA do whatever and report it as an MTA-STS validation
error when it's not?
On 2021-04-05 00:23, John R Levine wrote:
You might also consider that some of the people you're arguing with
have been writing standards documents since before you were born, so
perhaps they have some experience worth learning from.
My apologies if I sound(ed) cocky. I am really grateful for everyone's
thoughts. Without a shadow of a doubt, all the responses are valuable to
me and they will encourage me to keep reading RFCs more carefully and to
comply with them. After all, it is not fair to ask of others what you
are not willing to do yourself. :)
But at the same time, I believe it's not too much to ask for from
Microsoft to either send messages to MXs that point to CNAMEs or at
least report errors correctly. They are huge. They can handle that.
Thank's everyone!
--
Warm regards,
Kristijonas
__ /^\
.' \ / :.\
/ \ | :: \
/ /. \ / ::: |
| |::. \ / :::'/
| / \::. | / :::'/
`--` \' `~~~ ':'/`
/ (
/ 0 _ 0 \
\/ \_/ \/
-== '.' | '.' ==-
/\ '-^-' /\
\ _ _ /
.-`-((\o/))-`-.
_ / //^\\ \ _
."o".( , .:::. , )."o".
|o o\\ \:::::/ //o o|
\ \\ |:::::| // /
\ \\__/:::::\__// /
\ .:.\ `':::'` /.:. /
\':: |_ _| ::'/
jgs `---` `"""""` `---`
Happy Easter!
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp