Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certi…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
On Tue, Jun 09, 2020 at 04:41:33PM +0100, Jeremy Harris via Exim-dev wrote:

> On 08/06/2020 14:51, Viktor Dukhovni via Exim-dev wrote:


> > Yes: https://tools.ietf.org/html/rfc6125#appendix-B.4
> >
> > The original reported is right.
>
> No, it's worse. If you take that RFC 3207 wording strictly:
>
>   -  A SMTP client would probably only want to authenticate an SMTP
>       server whose server certificate has a domain name that is the
>       domain name that the client thought it was connecting to.

>
> it could mean the domain part of the recipient email address,
> pre-MX-lookup. Thanks to the word "domain".
>
> Or it could mean that, again, but only when there is no MX record
> and an A / AAAA is being used... but pre-CNAME.
>
> Or it could mean post-CNAME, because that "client" SMTP agent surely
> thought it was connecting to a name that A/AAAA resolved to the IP for
> the connect() syscall.
>
>
> It really is not well specified.


Perhaps so, but in the context of everything else in RFC6125, and the
specs for other protocols, ... it is fairly clear (to me anyway) that
the intent is to match the SMTP server name prior to CNAME expansion,
just like the HTTP/IMAP/... cases.

This is also, FWIW, what's expected with MTA-STS.

-- 
    Viktor.