On 2018-05-22 at 18:09 +0200, Cyborg via Exim-users wrote: > the german office of security ( BSI ) has given out a policy, that > secure emailserver should have implemented DANE. > > So, whats the status of DANE for Exim? > > Any usefull selfexplaning examples at hand ? :)
Outbound or inbound? Inbound, once you have TLS configured there's nothing to do in Exim, it's all in how you configure DNS. Viktor provided a link to the docs: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECDANE For outbound delivery: Make sure that you have a validating DNS resolver. I use Unbound. Search for both "dnssec" and "dane" in: https://git.exim.org/exim.git/blob/HEAD:/src/src/configure.default That's the current default Exim configuration in Git, updated since the last release. Future releases will have the default configuration file enable DANE as long as Exim was compiled with support. Relevant parts (line-numbers per "current HEAD" and might change): 228 # The setting below causes Exim to try to initialize the system resolver 229 # library with DNSSEC support. It has no effect if your library lacks 230 # DNSSEC support. 231 232 dns_dnssec_ok = 1 596 dnslookup: #... 603 dnssec_request_domains = * 733 remote_smtp: #... 736 .ifdef _HAVE_DANE 737 dnssec_request_domains = * 738 hosts_try_dane = * 739 .endif That's it. You tell Exim to try to enable DNSSEC in DNS queries, when Routing you tell Exim to ask for DNSSEC for all domains, when delivering you tell Exim to enable DNSSEC for all domains and to try to enable DANE verification for all outbound connections. If you want to enable filtered lists of hosts/domains, to work around known brokenness, then change the `= *` to hostlist patterns in the usual Exim way, so you can reference files etc. If you want to enable such workarounds, then try: <https://danefail.org/>. They link to their GitHub repository, with current lists. You'll need to automate the updates of that. Myself, I don't currently run commercial mail-services, so I just don't bother exempting anyone. If someone breaks DANE, they lose inbound mail until they fix it, and it's almost never been an issue. I think I once saw issues in the queues of exim.org for some domain and I reached out to them separately and it got fixed. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/