> On Sep 5, 2018, at 1:56 AM, Klaus Ethgen via Exim-users <exim-users@exim.org> > wrote: > > I had the same problem some days ago. > > I do not trust any CA, so no CA is in my truststore. However, some days > ago, I posted to lists.gentoo.org. They have a valid TLSA entry but exim > told me that it can't be validated so the mail stuck in queue. > > After I enabled (themporarily) the random CA they use, I got a > successfull delivery with the log file saying that it was validated via > DANE. For now, switch a version of Exim that is compiled with OpenSSL. There's nothing wrong with your original configuration or with gentoo.org's DANE TLSA records. The issue is that Exim with GnuTLS does not presently seem to handle DANE-TA(2) correctly. Abbreviated trace from my DANE survey engine (the certificate issuer is "Let's Encrypt Authority X3"): gentoo.org. IN MX 10 mail.gentoo.org. ; NoError AD=1 _25._tcp.mail.gentoo.org. IN CNAME postfix-tlsa.woodpecker.gentoo.org. ; NoError AD=1 postfix-tlsa.woodpecker.gentoo.org. IN CNAME generic-letsencrypt.tlsa.gentoo.org. ; NoError AD=1 generic-letsencrypt.tlsa.gentoo.org. IN TLSA 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b ; NoError AD=1 generic-letsencrypt.tlsa.gentoo.org. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1 mail.gentoo.org[140.211.166.183]: pass: TLSA match: depth = 1, name = mail.gentoo.org depth = 1 pkey sha256 [matched] <- 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 depth = 2 pkey sha256 [matched] <- 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b mail.gentoo.org[2001:470:ea4a:1:5054:ff:fec7:86e4]: pass: TLSA match: depth = 1, name = mail.gentoo.org depth = 1 pkey sha256 [matched] <- 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 depth = 2 pkey sha256 [matched] <- 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b -- -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE(TA) doesn't work with self signed certificates
Viktor Dukhovni via Exim-users Wed, 05 Sep 2018 06:06:02 -0700
- [exim] DANE(TA) doesn't work with self s... Michael Westerburg via Exim-users
- Re: [exim] DANE(TA) doesn't work wi... Jeremy Harris via Exim-users
- Re: [exim] DANE(TA) doesn't wor... Viktor Dukhovni via Exim-users
- Re: [exim] DANE(TA) doesn't... Jeremy Harris via Exim-users
- Re: [exim] DANE(TA) doesn't wor... Klaus Ethgen via Exim-users
- Re: [exim] DANE(TA) doesn't... Viktor Dukhovni via Exim-users
- Re: [exim] DANE(TA) doesn't work wi... Jeremy Harris via Exim-users
- Re: [exim] DANE(TA) doesn't wor... Viktor Dukhovni via Exim-users
- Re: [exim] DANE(TA) doesn't work wi... Viktor Dukhovni via Exim-users
- Re: [exim] DANE(TA) doesn't wor... Michael Westerburg via Exim-users
- Re: [exim] DANE(TA) doesn't... Viktor Dukhovni via Exim-users