Hi I’ve configured DANE for one exim mailserver but only outgoing mails seem to use dane.
1) Configured DNSSEC on bind9 for the domain where also the MX is configured and register it at the registrar. Checked against "http://dnsviz.net/d/mydomain.de/dnssec/"; Everything, A,AAAA,NS,MX,SOA have the status „secure“ 2) Installed unbound as a dns resolver on the exim host and put it in /etc/resolv.conf, test also the other ns if they offered dnssec 3) Configured letsencrypt certificate and TLSA record. Checked against "https://dane.sys4.de/smtp/mydomain.de“ Everything is „green“ and has a usable TLSA record. 4) Configured exim. Use swaks as smtp client and checked with openssl the SHA2-256 hash if the offered certificate has the right TLSA record. Everything seems to be fine as tested on "dane.sys4.de" In configure: my router / dnslookup section: dnssec_request_domains = * my transport / remote_smtp section: dnssec_request_domains = * hosts_try_dane = * dkim_domain = ${lookup pgsql{DKIM_DOMAINS}} dkim_strict = 0 dkim_canon = relaxed dkim_selector = default dkim_private_key = ${if exists \ … 4) Create a test account at mailbox.org and send mails back and forth. The log shows only „CV=dane“ for >> outgoing mails: <= [email protected] … P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no … from <[email protected]> for [email protected] … => [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=4354 H=mx1.mailbox.org DS [80.241.60.212]:25 I=[98.76.54.32]:42738 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=dane DN="/OU=Domain Validated Only/CN=*.mailbox.org" C="250 2.0.0 from MTA(smtp:[80.241.60.212]:10025): 250 2.0.0 Ok: queued as 84E9145C4F" QT=3s DT=2s << Incoming mails from mailbox.org have only "CV=no“ SMTP connection from mx1.mailbox.org [80.241.60.212]:48647 I=[98.76.54.32]:25 closed by QUIT DKIM: d=mailbox.org s=mail20150812 c=relaxed/simple a=rsa-sha256 b=2048 t=1493050957 [verification succeeded] <= [email protected] H=mx1.mailbox.org [80.241.60.212]:48647 I=[98.76.54.32]:25 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no … from <[email protected]> for [email protected] => nti <[email protected]> F=< [email protected]> … Completed QT=1s Is it because dkim is also configured? How can I check exim to see what and what not happens with DANE to become more informations than have a look on the "CV=dane" log entry - which debug flags should I use - dns, resolver, transport? Cheers Nicola Exim version 4.89 #0 (FreeBSD 11.0) Support for: crypteq iconv() IPv6 use_setclassresources Perl Expand_dlfunc OpenSSL Content_Scanning DKIM DNSSEC Event I18N PRDR TCP_Fast_Open Experimental_SPF Experimental_SRS Experimental_DANE Experimental_DCC Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
