Hello Phil,

Thanks for the passive solution.

Would you please advise what exactly of their DNS is broken? And is exim by default will try DANE on all hosts or not? Because i dont found  these two configs in the exim config currently.

Thanks

Daniel


On 2020/3/26 上午 01:10, Phil Pennock wrote:
On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote:
We recently received many of our end users complains that they are having 
problem sending email to *.gov.hk with this exim error:
DANE ERROR: TLSA LOOKUP DEFER
Their DNS is broken.

However we have contacted our government and their responds is:
“Our DNSSEC setup is fine, and it is not nesserary to have DANE setup together 
with DNSSEC , so it is the exim MTA problem. We have not actually setup DANE “
Now here comes the problem: how can we solve this problem passively? We have 
many cPanel server with Exim.
You have one of these two options set on your SMTP Transport:

     hosts_try_dane
     hosts_require_dane

Each of those takes a host-list, so might currently look like:

     hosts_try_dane = *

You can change that to look like:

     hosts_try_dane = !*.gov.hk : *

If the host-list references external files, take a look at those.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to