Hello, many thanks for your work on DANE support. Right now it's not working for me, though.
Compiled (based on Debian package) latest trunk with DANE and other features added: /usr/sbin/exim -bV Exim version 4.84+82dbd37+LPexp1 #2 built 03-Sep-2014 17:47:26 Copyright (c) University of Cambridge, 1995 - 2014 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014 Berkeley DB: Berkeley DB 4.8.30: (April 9, 2010) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime PRDR OCSP Experimental_DANE Experimental_Proxy Experimental_TPDA Experimental_Certnames Experimental_DSN Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /etc/exim4/exim4.conf Configuration includes "dns_dnssec_ok=1" as global option and dnssec_request_domains = * hosts_try_dane = * in remote_smtp transport. Sending messages to test domains with DANE setups, I see no "CV=dane" in the log. Debugging output shows nothing about DANE apart from "a.b.c.d in hosts_require_dane? no (option unset)" DNSSEC: "Coerced resolver DNSSEC support on." before DNS lookups. adding "hosts_require_dane = mx.test.domain" leads to: 12:49:32 4112 SMTP<< 220 2.0.0 Ready to start TLS 12:49:32 4112 Coerced resolver DNSSEC support on. 12:49:32 4112 gethostbyname2 looked up these IP addresses: 12:49:32 4112 name=mx.test.domain address=2a03:xxx:xxx:xxx::1 12:49:32 4112 name=mx.test.domain address=37.x.x.x 12:49:32 4112 2a03:xxx:xxx:xxx::1 in hosts_require_dane? yes (matched "mx.test.domain") 12:49:32 4112 LOG: MAIN 12:49:32 4112 DANE error: previous lookup not DNSSEC 12:49:32 4112 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL 12:49:32 4112 2a03:xxx:xxx:xxx::1 in hosts_require_tls? no (option unset) 12:49:32 4112 Coerced resolver DNSSEC support on. 12:49:32 4112 gethostbyname2 looked up these IP addresses: 12:49:32 4112 name=mx.test.domain address=2a03:xxx:xxx:xxx::1 12:49:32 4112 name=mx.test.domain address=37.x.x.x 12:49:32 4112 2a03:xxx:xxx:xxx::1 in hosts_require_dane? yes (matched "mx.test.domain") 12:49:32 4112 set_process_info: 4112 delivering 1XPUbD-00012m-Cy: just tried mx.test.domain [2a03:xxx:xxx:xxx:1] for [email protected]: result DEFER So, the problem seems to be DNSSEC no tbeeing checked, despite "dnssec_request_domains=*". Any idea why? Using dig for this domain/hosts (on the same systems) gives authenticated data. Further: exim -be with ${lookup dnsdb{dnssec_strict,mx=test.domaim}} (and a=..., aaaa=....) DOES work... Regards, Lutz -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
