--On Wednesday, July 27, 2016 10:06 +0100 Jeremy Harris
<jgh@???> wrote:
> On 27/07/16 01:34, Mike Kadin wrote:
>> help.uber.com is a CNAME to frontends.uber.com which is a
>> CNAME to frontends-sjc1.uber.com which has an MX record of
>> mx.sendgrid.net. Sendgrid is our inbound SMTP provider:
>
> CNAME chains are regarded as bad practice for efficiency
> reasons, even if not actually being an error.
> --
Given the "primary name" requirement of SMTP, pretty close to an
error although a submission server could work around it is
mx.sendgrid.net was configured very carefully.
More important in today's world, especially for a highly-visible
provider with enemies, such a chain makes DNNSEC checking of the
integrity of DNS responses about the name largely ineffective in
the "not hard to design an attack that would effectively route
such mail somewhere where you didn't want it" variety. Another
note suggested a workaround; if I were Uber, I'd figure out some
other approach.
best,
john
