On Wed, July 11, 2018 11:12, Viktor Dukhovni wrote:
> On Wed, Jul 11, 2018 at 10:13:48AM -0400, James B. Byrne wrote:
>
>> > The connecting client did not like one of the certificates in the
>> > chain. Perhaps it expected to find a working WebPKI certificate
>> > from one of the usual suspects ("browser bundle" public root CAs).
>> >
>> > You should ask the postmaster of the sending domain?
>> > Is the problem ongoing? Or a transient glitch?
>>
>> It is an ongoing problem with delivery to us of the samba-users
>> mailing list digest, of which I am a subscriber.
>
> Any logs they're willing to share would likely be enlightening.
>
I will ask.
>> I am in communication with the person directly responsible for
>> implementing DANE at that site. They have just implemented DANE
>> which is when the problems first started.
>
> Do you know which MTA they're using?
>
NMAP reports: Exim smtpd 4.91
>
>> and as they are missing a number of TLSA RRs
>
> What does that mean???
>
When I run a DANE test against the domain that is failing to connect
this is among the results:
Test # Host IP Status Test Description (ยง Section)
103 hr1.samba.org FAILED Service hostname must have matching TLSA record
Resolving TLSA records for hostname '_25._tcp.hr1.samba.org'
403 hr1.samba.org FAILED All IP addresses for a host that is TLSA
protected must TLSA verify
Validating TLSA records for 0 out of 1 IP addresses found for host
hr1.samba.org
>> their problem with us may be an incomplete implementation.
>
> Do they support certificate usage DANE-TA(2)? Perhaps their MTA
> only supports DANE-EE(3) and chokes on DANE-TA(2). You could publish
> both "3 1 1" and "2 1 1" TLSA records for each MX host, and see if
> that resolves the issue.
I will attempt that as soon as I finish the movement of our MX
services off their current hosts and onto the new.
>
> If it does, the Samba list should disable DANE support until their
> implementation is less crippled. It needs to either not enforce
> DANE for MX hosts with just DANE-TA(2) records, or properly support
> DANE-TA(2) records.
>
Ah. Well, I know how welcome the news that 'one is doing something so
wrong that one should just stop doing it' can be. I would rather
avoid the natural antagonism such advice is likely to engender.
Instead I have provided them a few clues as to where some obvious
problems lie and left it to their judgement as to how to proceed.
Eventually they will either sort out their troubles or arrive at the
same conclusion.
My concern in this is to assure myself that our services are running
correctly. If they are and the difficulties all lie with samba.org
then can live without the mailing list digest for now.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
