ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

2021-04-04 17:26:44
On 2021-04-04 23:53, John C Klensin wrote:

(2) With regard to both the above and the note Kristijonas
posted a few minutes ago, if RFC 8461 says anything that appears
to contradict the above, it is a bug and those who care should
be generating errata or, better yet, working on an update.  8461
can --at least as long as it is consistent with other deployed
specs-- say anything it likes about certificates, where they
come from, and how they are validated.  But, it is can be read
as encouraging violation of 5321 in a specification that is
clearly about SMTP, that is bad news.

What is MTA-STS when in enforce mode?

"enforce": In this mode, Sending MTAs MUST NOT deliver the
     message to hosts that fail MX matching or certificate validation
     or that do not support STARTTLS.


1) failed MX matching, as per section 4.1;
2) failed certificate validation, as per section 4.2
3) a host doesn't support STARTTLS

Those seem to be the only reasons that a Sending MTA honoring MTA-STS MAY and MUST NOT deliver the messages when sending to an MX at a domain for which the sender has a valid and non-expired MTA-STS Policy, as least per MTA-STS, and to the best of my knowledge.

Can there exist other reasons, not related to MTA-STS, that allows or obliges the sending MTA not to deliver messages? It sure can. Is MX pointing to CNAME one of them?

Other than interpreting the:

Any other response, specifically including a value that will return a
  CNAME record when queried, lies outside the scope of this Standard.

as “It is your problem if the target of the MX refers to a CNAME
and things break"

-- is it explicitly standardized what MTA should do with such MX records/hosts when delivering mail? If not, can an MTA do whatever and report it as an MTA-STS validation error when it's not?

On 2021-04-05 00:23, John R Levine wrote:
You might also consider that some of the people you're arguing with
have been writing standards documents since before you were born, so
perhaps they have some experience worth learning from.

My apologies if I sound(ed) cocky. I am really grateful for everyone's thoughts. Without a shadow of a doubt, all the responses are valuable to me and they will encourage me to keep reading RFCs more carefully and to comply with them. After all, it is not fair to ask of others what you are not willing to do yourself. :)

But at the same time, I believe it's not too much to ask for from Microsoft to either send messages to MXs that point to CNAMEs or at least report errors correctly. They are huge. They can handle that.

Thank's everyone!

--
Warm regards,
Kristijonas

      __            /^\
    .'  \          / :.\
   /     \         | :: \
  /   /.  \       / ::: |
 |    |::. \     / :::'/
 |   / \::. |   / :::'/
 `--`   \'  `~~~ ':'/`
         /         (
        /   0 _ 0   \
      \/     \_/     \/
    -== '.'   |   '.' ==-
      /\    '-^-'    /\
        \   _   _   /
       .-`-((\o/))-`-.
  _   /     //^\\     \   _
."o".(    , .:::. ,    )."o".
|o  o\\    \:::::/    //o  o|
 \    \\   |:::::|   //    /
  \    \\__/:::::\__//    /
   \ .:.\  `':::'`  /.:. /
    \':: |_       _| ::'/
 jgs `---` `"""""` `---`

Happy Easter!


_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp

<Prev in Thread] Current Thread [Next in Thread>