Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Tue, Mar 31, 2020 at 12:04:06PM +0100, Jeremy Harris via Exim-users wrote: > On 30/03/2020 07:50, daniel via Exim-users wrote: > > And is exim > > by default will try DANE on all hosts or not? Because i dont found > > these two configs in the exim config currently. > > http://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html#index_concept_D Jeremy, there is perhaps a cut-n-paste error in the SMTP transport variable docs: http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146 The text for "hosts_require_dane" and "hosts_try_dane" reads the same: hosts_require_dane Use: smtp Type: host list†Default: unset If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, and that a DANE-verified TLS connection is made. See the dnssec_request_domains router and transport options. There will be no fallback to in-clear communication. See section 43.15. hosts_try_dane Use: smtp Type: host list†Default: * If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, and that a DANE-verified TLS connection is made. See the dnssec_request_domains router and transport options. There will be no fallback to in-clear communication. See section 43.15. But, presumably, with the "try" variant, the TLSA RRs are not actually required, and DANE is applied only when TLSA RRs are present (RFC7672-style opportunistic DANE TLS). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Are there any good tutorials on setting up Exim MTA/SMTP Server?
Noted with thanks. On 2020-03-31 19:05, Jeremy Harris via Exim-users wrote: On 30/03/2020 14:01, Turritopsis Dohrnii Teo En Ming via Exim-users wrote: If I want to install Exim as a standalone MTA/SMTP server, are there any good tutorials which I can follow? Just read the manual. http://exim.org/exim-html-current/doc/html/spec_html/ -- Cheers, Jeremy -- -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Are there any good tutorials on setting up Exim MTA/SMTP Server?
On 2020-03-31 16:32, Niels Dettenbach via Exim-users wrote: Am Montag, 30. März 2020, 15:01:00 CEST schrieb Turritopsis Dohrnii Teo En Ming via Exim-users: I have deployed cPanel web hosting control panel before and Exim was installed and configured automatically by cPanel. If I want to install Exim as a standalone MTA/SMTP server, are there any good tutorials which I can follow? There are many ones - for many application scenarios - with more or less focus on security / anti spam and such, but even more important for different combinations with third party software to "form" "typical" "mailservers" (i.e. with cyrus, dovecot, xSQL, user management, anti spam / anti virus solutions etc. - and this is still except higher scale setups...). So it really depends from what your "target application" is and in which "environment" you want to place it. I would like to setup Exim MTA/SMTP Server + POP3/S Server + IMAP/S Server + Webmail, with Spamassassin and ClamAV integration. -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Are there any good tutorials on setting up Exim MTA/SMTP Server?
On 30/03/2020 14:01, Turritopsis Dohrnii Teo En Ming via Exim-users wrote: > If I want to install Exim as a standalone MTA/SMTP server, are there any > good tutorials which I can follow? Just read the manual. http://exim.org/exim-html-current/doc/html/spec_html/ -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On 30/03/2020 07:50, daniel via Exim-users wrote: > And is exim > by default will try DANE on all hosts or not? Because i dont found > these two configs in the exim config currently. http://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html#index_concept_D -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Mon, Mar 30, 2020 at 03:25:54PM +0800, daniel via Exim-users wrote: > Here is one example of the actual problem i have just recently tested on > the problem server without apply the option fix (source domain masked > for privacy reason): > > 2020-03-30 15:02:59 1jIoRn-0004MT-RH <= testt...@xxx.com H=(vps.xxx.com) > [::1]:45888 P=esmtpa A=dovecot_login:testt...@xxx.com S=572 > id=287d2da21e9c92ef1d105bb7af95f...@xxx.com T="test" for t...@tid.gov.hk > 2020-03-30 15:02:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc > 1jIoRn-0004MT-RH > 2020-03-30 15:02:59 1jIoRn-0004MT-RH Sender identification U=basecrea > D=xxx.com S=testt...@xxx.com > 2020-03-30 15:02:59 1jIoRn-0004MT-RH SMTP connection outbound 1585551779 > 1jIoRn-0004MT-RH xxx.com t...@tid.gov.hk > 2020-03-30 15:03:40 1jIoRn-0004MT-RH H=tidamg2.tid.gov.hk [202.38.18.3]: DANE > error: tlsa lookup DEFER > 2020-03-30 15:04:20 1jIoRn-0004MT-RH H=tidamg1.tid.gov.hk [202.38.18.2]: DANE > error: tlsa lookup DEFER > 2020-03-30 15:05:00 1jIoRn-0004MT-RH H=tidamg3.tid.gov.hk [203.184.133.146]: > DANE error: tlsa lookup DEFER > 2020-03-30 15:05:00 1jIoRn-0004MT-RH == t...@tid.gov.hk R=dkim_lookuphost > T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER There is nothing wrong with the DNS configuration of tid.gov.hk: tid.gov.hk. IN MX 10 tidamg1.tid.gov.hk. ; NoError AD=1 tid.gov.hk. IN MX 10 tidamg2.tid.gov.hk. ; NoError AD=1 tid.gov.hk. IN MX 30 tidamg3.tid.gov.hk. ; NoError AD=1 tidamg1.tid.gov.hk. IN A 202.38.18.2 ; NoError AD=1 tidamg1.tid.gov.hk. IN ? ; NODATA AD=1 _25._tcp.tidamg1.tid.gov.hk. IN TLSA ? ; NXDomain AD=1 tidamg2.tid.gov.hk. IN A 202.38.18.3 ; NoError AD=1 tidamg2.tid.gov.hk. IN ? ; NODATA AD=1 _25._tcp.tidamg2.tid.gov.hk. IN TLSA ? ; NXDomain AD=1 tidamg3.tid.gov.hk. IN A 203.184.133.146 ; NoError AD=1 tidamg3.tid.gov.hk. IN ? ; NODATA AD=1 _25._tcp.tidamg3.tid.gov.hk. IN TLSA ? ; NXDomain AD=1 https://dnsviz.net/d/_25._tcp.tidamg1.tid.gov.hk/XoMFCg/dnssec/ https://dnsviz.net/d/_25._tcp.tidamg2.tid.gov.hk/XoMFEQ/dnssec/ https://dnsviz.net/d/_25._tcp.tidamg3.tid.gov.hk/XoMFeg/dnssec/ Off-list, you reported using Google's resolvers at 8.8.8.8 and 8.8.4.4, and those also (even in your own manual tests with "dig") reported no issues (returned NXDomain, not ServFail). I don't know why your Exim is reporting "tlsa lookup DEFER", but you need to get more detailed output from your Exim that shows the DNS queries made, and answers received, and double-check your resolver configuration. Is Exim perhaps querying a different resolver than you thought. You may need to record the DNS-related traffic (UDP port 53), while retrying delivery to the problem domain, in a tcpdump PCAP file and post that to the list or to me off-list. Perhaps you have an outdated version of Exim with a known issue in DNS resolution, or a base OS with a problem in the stub resolver code in its C-library? Whatever the issue is, more details are needed, but what is fairly clear is that the gov.hk folks are right, and the problem is not with their DNS. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Are there any good tutorials on setting up Exim MTA/SMTP Server?
Am Montag, 30. März 2020, 15:01:00 CEST schrieb Turritopsis Dohrnii Teo En Ming via Exim-users: > I have deployed cPanel web hosting control panel before and Exim was > installed and configured automatically by cPanel. > > If I want to install Exim as a standalone MTA/SMTP server, are there any > good tutorials which I can follow? There are many ones - for many application scenarios - with more or less focus on security / anti spam and such, but even more important for different combinations with third party software to "form" "typical" "mailservers" (i.e. with cyrus, dovecot, xSQL, user management, anti spam / anti virus solutions etc. - and this is still except higher scale setups...). So it really depends from what your "target application" is and in which "environment" you want to place it. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Are there any good tutorials on setting up Exim MTA/SMTP Server?
Good evening from Singapore, I have deployed cPanel web hosting control panel before and Exim was installed and configured automatically by cPanel. If I want to install Exim as a standalone MTA/SMTP server, are there any good tutorials which I can follow? I am looking forward to hearing from you soon. Thank you very much. -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
Hello, Here is one example of the actual problem i have just recently tested on the problem server without apply the option fix (source domain masked for privacy reason): 2020-03-30 15:02:59 1jIoRn-0004MT-RH <= testt...@xxx.com H=(vps.xxx.com) [::1]:45888 P=esmtpa A=dovecot_login:testt...@xxx.com S=572 id=287d2da21e9c92ef1d105bb7af95f...@xxx.com T="test" for t...@tid.gov.hk 2020-03-30 15:02:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jIoRn-0004MT-RH 2020-03-30 15:02:59 1jIoRn-0004MT-RH Sender identification U=basecrea D=xxx.com S=testt...@xxx.com 2020-03-30 15:02:59 1jIoRn-0004MT-RH SMTP connection outbound 1585551779 1jIoRn-0004MT-RH xxx.com t...@tid.gov.hk 2020-03-30 15:03:40 1jIoRn-0004MT-RH H=tidamg2.tid.gov.hk [202.38.18.3]: DANE error: tlsa lookup DEFER 2020-03-30 15:04:20 1jIoRn-0004MT-RH H=tidamg1.tid.gov.hk [202.38.18.2]: DANE error: tlsa lookup DEFER 2020-03-30 15:05:00 1jIoRn-0004MT-RH H=tidamg3.tid.gov.hk [203.184.133.146]: DANE error: tlsa lookup DEFER 2020-03-30 15:05:00 1jIoRn-0004MT-RH == t...@tid.gov.hk R=dkim_lookuphost T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER On 2020-03-25 17:22, Viktor Dukhovni wrote: > On Wed, Mar 25, 2020 at 01:10:53PM -0400, Phil Pennock via Exim-users wrote: > > > On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: > > > We recently received many of our end users complains that they are having problem sending email to *.gov.hk with this exim error: > > > DANE ERROR: TLSA LOOKUP DEFER > > > > Their DNS is broken. > > It would best if the OP were at liberty to post one or (ideally) more > example domains, or send the examples to me off-list if preferred. > > > > However we have contacted our government and their responds is: > > > “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup together with DNSSEC , so it is the exim MTA problem. We have not actually setup DANE “ > > > Now here comes the problem: how can we solve this problem passively? We have many cPanel server with Exim. > > > > You have one of these two options set on your SMTP Transport: > > > > Indeed each sender can work around the problem for themselves, but > that's suboptimal if the problem is on the receiving side. Ideally, if > there is breakage on the gov.hk side, we should be able to demonstrate > it to them in a way that elicits action to remediate the problem. > > > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
Hello Phil, Thanks for the passive solution. Would you please advise what exactly of their DNS is broken? And is exim by default will try DANE on all hosts or not? Because i dont found these two configs in the exim config currently. Thanks Daniel On 2020/3/26 上午 01:10, Phil Pennock wrote: On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: We recently received many of our end users complains that they are having problem sending email to *.gov.hk with this exim error: DANE ERROR: TLSA LOOKUP DEFER Their DNS is broken. However we have contacted our government and their responds is: “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup together with DNSSEC , so it is the exim MTA problem. We have not actually setup DANE “ Now here comes the problem: how can we solve this problem passively? We have many cPanel server with Exim. You have one of these two options set on your SMTP Transport: hosts_try_dane hosts_require_dane Each of those takes a host-list, so might currently look like: hosts_try_dane = * You can change that to look like: hosts_try_dane = !*.gov.hk : * If the host-list references external files, take a look at those. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/