> On Apr 24, 2017, at 9:23 PM, Nicola Tiling <[email protected]> wrote:
>
>
> The log shows only „CV=dane“ for >> outgoing mails:
>
> <= [email protected] … P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
> CV=no … from <[email protected]> for [email protected]
> … => [email protected] F=<[email protected]> P=<[email protected]>
> R=dnslookup T=remote_smtp S=4354 H=mx1.mailbox.org DS [80.241.60.212]:25
> I=[98.76.54.32]:42738 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=dane
> DN="/OU=Domain Validated Only/CN=*.mailbox.org" C="250 2.0.0 from
> MTA(smtp:[80.241.60.212]:10025): 250 2.0.0 Ok: queued as 84E9145C4F" QT=3s
> DT=2s
>
>
> << Incoming mails from mailbox.org have only "CV=no“
This is exactly as it should be. DANE authentication is asymmetric,
the client uses DANE to authenticate the server, but the server is
completely unaware of this. Either way the client performs a TLS
handshake after STARTTLS and sends a message.
Client's don't (yet) have DANE TLSA records for the server to check.
The spec for this took to long to create, and the DANE WG was closed
in the meantime. So there may not ever be such a spec. Or it might
get done once broad server adoption shows a more compelling case for
doing something in the converse direction.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
