> On May 22, 2018, at 12:09 PM, Cyborg via Exim-users <exim-users@exim.org> > wrote: > > So, whats the status of DANE for Exim? > > Any usefull selfexplaning examples at hand ? :)
Have you looked at: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECDANE One small correction to the text below: If a private CA is used then either all clients must be primed with it, or (probably simpler) the server TLS handshake must transmit the entire certificate chain from CA to server-certificate. If a public CA is used then all clients must be primed with it (losing one advantage of DANE) - but the attack surface is reduced from all public CAs to that single CA. The DANE implementation in both Postfix and Exim (at least when OpenSSL is used, not sure about GnuTLS) ignores the local CA trust store when building chains for DANE-TA(2) verification. The trust-anchor certificate MUST be part of the certificate chain provided by the server. This is consistent with: https://tools.ietf.org/html/rfc7671#section-5.2.2 -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/