On Tue, Mar 31, 2020 at 12:04:06PM +0100, Jeremy Harris via Exim-users wrote: > On 30/03/2020 07:50, daniel via Exim-users wrote:
> > And is exim > > by default will try DANE on all hosts or not? Because i dont found > > these two configs in the exim config currently. > > http://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html#index_concept_D Jeremy, there is perhaps a cut-n-paste error in the SMTP transport variable docs: http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146 The text for "hosts_require_dane" and "hosts_try_dane" reads the same: hosts_require_dane Use: smtp Type: host list† Default: unset If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, and that a DANE-verified TLS connection is made. See the dnssec_request_domains router and transport options. There will be no fallback to in-clear communication. See section 43.15. hosts_try_dane Use: smtp Type: host list† Default: * If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, and that a DANE-verified TLS connection is made. See the dnssec_request_domains router and transport options. There will be no fallback to in-clear communication. See section 43.15. But, presumably, with the "try" variant, the TLSA RRs are not actually required, and DANE is applied only when TLSA RRs are present (RFC7672-style opportunistic DANE TLS). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/