Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Fri, Aug 28, 2020 at 04:47:50PM +0800, daniel via Exim-users wrote: > I have an update of this problem. > > Today I found out the solution of this problem. > > The solution is to NOT using any google DNS server (8.8.8.8 8.8.4.4). > > I am not sure how these two things does not work to each other; But once > i switch to not using it, for example, use 1.1.1.1 instead, it INSTANTLY > works again. If you're using *remote* DNS servers (doesn't matter which, Google, Clouflare, Verisign, Quad9, your ISPs, ...) its game over. You're wasting your time enabling DANE. Just turn it off. When the network path between your system and your DNS resolvers is not tamper-proof, you get zero security from DANE (in Exim and Postfix, or any other MTA that does not validate DNSSEC replies internally in its resolver library, but instead trusts the "AD" bit from the resolver). > >>> We recently received many of our end users complains that they are having > >>> problem sending email to *.gov.hk with this exim error: > >>> DANE ERROR: TLSA LOOKUP DEFER > >> Their DNS is broken. In the DANE/DNSSEC survey I find only one .gov.hk domain with TLSA records resolution issues: tid.gov.hk. This domain has nameservers that mishandle the client's EDNS buffer size. When the response wouldn't fit in the client's requested buffer size limit, they set the TC bit, but then don't actually truncate the response! Consequently, large UDP packets are sent that require fragmentation, and these don't always get through. So depending on where I ask from loookups for the TLSA records of the MX hosts of tid.gov.hk may time out. Otherwise, the 570 other DNSSEC-signed .gov.hk domains I do know about all seem to work fine. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
Hello, I have an update of this problem. Today I found out the solution of this problem. The solution is to NOT using any google DNS server (8.8.8.8 8.8.4.4). I am not sure how these two things does not work to each other; But once i switch to not using it, for example, use 1.1.1.1 instead, it INSTANTLY works again. Thank you. On 2020/3/30 下午 07:34, Phil Pennock wrote: On 2020-03-25 at 13:10 -0400, Phil Pennock via Exim-users wrote: On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: We recently received many of our end users complains that they are having problem sending email to *.gov.hk with this exim error: DANE ERROR: TLSA LOOKUP DEFER Their DNS is broken. For clarity: I did not look at any DNS records before making that statement, it was my short-form explanation of what the error message means in practice. 95+% of the time, it means "they have DNS servers which don't reply when asked for TLSA records". To get more details out of Exim, run with `-d+transport+dns` to get debugging, enabling additional debug content in the "transport" and "dns" areas. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Tue, Mar 31, 2020 at 12:04:06PM +0100, Jeremy Harris via Exim-users wrote: > On 30/03/2020 07:50, daniel via Exim-users wrote: > > And is exim > > by default will try DANE on all hosts or not? Because i dont found > > these two configs in the exim config currently. > > http://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html#index_concept_D Jeremy, there is perhaps a cut-n-paste error in the SMTP transport variable docs: http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146 The text for "hosts_require_dane" and "hosts_try_dane" reads the same: hosts_require_dane Use: smtp Type: host list†Default: unset If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, and that a DANE-verified TLS connection is made. See the dnssec_request_domains router and transport options. There will be no fallback to in-clear communication. See section 43.15. hosts_try_dane Use: smtp Type: host list†Default: * If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, and that a DANE-verified TLS connection is made. See the dnssec_request_domains router and transport options. There will be no fallback to in-clear communication. See section 43.15. But, presumably, with the "try" variant, the TLSA RRs are not actually required, and DANE is applied only when TLSA RRs are present (RFC7672-style opportunistic DANE TLS). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On 30/03/2020 07:50, daniel via Exim-users wrote: > And is exim > by default will try DANE on all hosts or not? Because i dont found > these two configs in the exim config currently. http://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html#index_concept_D -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Mon, Mar 30, 2020 at 03:25:54PM +0800, daniel via Exim-users wrote: > Here is one example of the actual problem i have just recently tested on > the problem server without apply the option fix (source domain masked > for privacy reason): > > 2020-03-30 15:02:59 1jIoRn-0004MT-RH <= testt...@xxx.com H=(vps.xxx.com) > [::1]:45888 P=esmtpa A=dovecot_login:testt...@xxx.com S=572 > id=287d2da21e9c92ef1d105bb7af95f...@xxx.com T="test" for t...@tid.gov.hk > 2020-03-30 15:02:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc > 1jIoRn-0004MT-RH > 2020-03-30 15:02:59 1jIoRn-0004MT-RH Sender identification U=basecrea > D=xxx.com S=testt...@xxx.com > 2020-03-30 15:02:59 1jIoRn-0004MT-RH SMTP connection outbound 1585551779 > 1jIoRn-0004MT-RH xxx.com t...@tid.gov.hk > 2020-03-30 15:03:40 1jIoRn-0004MT-RH H=tidamg2.tid.gov.hk [202.38.18.3]: DANE > error: tlsa lookup DEFER > 2020-03-30 15:04:20 1jIoRn-0004MT-RH H=tidamg1.tid.gov.hk [202.38.18.2]: DANE > error: tlsa lookup DEFER > 2020-03-30 15:05:00 1jIoRn-0004MT-RH H=tidamg3.tid.gov.hk [203.184.133.146]: > DANE error: tlsa lookup DEFER > 2020-03-30 15:05:00 1jIoRn-0004MT-RH == t...@tid.gov.hk R=dkim_lookuphost > T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER There is nothing wrong with the DNS configuration of tid.gov.hk: tid.gov.hk. IN MX 10 tidamg1.tid.gov.hk. ; NoError AD=1 tid.gov.hk. IN MX 10 tidamg2.tid.gov.hk. ; NoError AD=1 tid.gov.hk. IN MX 30 tidamg3.tid.gov.hk. ; NoError AD=1 tidamg1.tid.gov.hk. IN A 202.38.18.2 ; NoError AD=1 tidamg1.tid.gov.hk. IN ? ; NODATA AD=1 _25._tcp.tidamg1.tid.gov.hk. IN TLSA ? ; NXDomain AD=1 tidamg2.tid.gov.hk. IN A 202.38.18.3 ; NoError AD=1 tidamg2.tid.gov.hk. IN ? ; NODATA AD=1 _25._tcp.tidamg2.tid.gov.hk. IN TLSA ? ; NXDomain AD=1 tidamg3.tid.gov.hk. IN A 203.184.133.146 ; NoError AD=1 tidamg3.tid.gov.hk. IN ? ; NODATA AD=1 _25._tcp.tidamg3.tid.gov.hk. IN TLSA ? ; NXDomain AD=1 https://dnsviz.net/d/_25._tcp.tidamg1.tid.gov.hk/XoMFCg/dnssec/ https://dnsviz.net/d/_25._tcp.tidamg2.tid.gov.hk/XoMFEQ/dnssec/ https://dnsviz.net/d/_25._tcp.tidamg3.tid.gov.hk/XoMFeg/dnssec/ Off-list, you reported using Google's resolvers at 8.8.8.8 and 8.8.4.4, and those also (even in your own manual tests with "dig") reported no issues (returned NXDomain, not ServFail). I don't know why your Exim is reporting "tlsa lookup DEFER", but you need to get more detailed output from your Exim that shows the DNS queries made, and answers received, and double-check your resolver configuration. Is Exim perhaps querying a different resolver than you thought. You may need to record the DNS-related traffic (UDP port 53), while retrying delivery to the problem domain, in a tcpdump PCAP file and post that to the list or to me off-list. Perhaps you have an outdated version of Exim with a known issue in DNS resolution, or a base OS with a problem in the stub resolver code in its C-library? Whatever the issue is, more details are needed, but what is fairly clear is that the gov.hk folks are right, and the problem is not with their DNS. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
Hello, Here is one example of the actual problem i have just recently tested on the problem server without apply the option fix (source domain masked for privacy reason): 2020-03-30 15:02:59 1jIoRn-0004MT-RH <= testt...@xxx.com H=(vps.xxx.com) [::1]:45888 P=esmtpa A=dovecot_login:testt...@xxx.com S=572 id=287d2da21e9c92ef1d105bb7af95f...@xxx.com T="test" for t...@tid.gov.hk 2020-03-30 15:02:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jIoRn-0004MT-RH 2020-03-30 15:02:59 1jIoRn-0004MT-RH Sender identification U=basecrea D=xxx.com S=testt...@xxx.com 2020-03-30 15:02:59 1jIoRn-0004MT-RH SMTP connection outbound 1585551779 1jIoRn-0004MT-RH xxx.com t...@tid.gov.hk 2020-03-30 15:03:40 1jIoRn-0004MT-RH H=tidamg2.tid.gov.hk [202.38.18.3]: DANE error: tlsa lookup DEFER 2020-03-30 15:04:20 1jIoRn-0004MT-RH H=tidamg1.tid.gov.hk [202.38.18.2]: DANE error: tlsa lookup DEFER 2020-03-30 15:05:00 1jIoRn-0004MT-RH H=tidamg3.tid.gov.hk [203.184.133.146]: DANE error: tlsa lookup DEFER 2020-03-30 15:05:00 1jIoRn-0004MT-RH == t...@tid.gov.hk R=dkim_lookuphost T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER On 2020-03-25 17:22, Viktor Dukhovni wrote: > On Wed, Mar 25, 2020 at 01:10:53PM -0400, Phil Pennock via Exim-users wrote: > > > On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: > > > We recently received many of our end users complains that they are having problem sending email to *.gov.hk with this exim error: > > > DANE ERROR: TLSA LOOKUP DEFER > > > > Their DNS is broken. > > It would best if the OP were at liberty to post one or (ideally) more > example domains, or send the examples to me off-list if preferred. > > > > However we have contacted our government and their responds is: > > > “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup together with DNSSEC , so it is the exim MTA problem. We have not actually setup DANE “ > > > Now here comes the problem: how can we solve this problem passively? We have many cPanel server with Exim. > > > > You have one of these two options set on your SMTP Transport: > > > > Indeed each sender can work around the problem for themselves, but > that's suboptimal if the problem is on the receiving side. Ideally, if > there is breakage on the gov.hk side, we should be able to demonstrate > it to them in a way that elicits action to remediate the problem. > > > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
Hello Phil, Thanks for the passive solution. Would you please advise what exactly of their DNS is broken? And is exim by default will try DANE on all hosts or not? Because i dont found these two configs in the exim config currently. Thanks Daniel On 2020/3/26 上午 01:10, Phil Pennock wrote: On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: We recently received many of our end users complains that they are having problem sending email to *.gov.hk with this exim error: DANE ERROR: TLSA LOOKUP DEFER Their DNS is broken. However we have contacted our government and their responds is: “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup together with DNSSEC , so it is the exim MTA problem. We have not actually setup DANE “ Now here comes the problem: how can we solve this problem passively? We have many cPanel server with Exim. You have one of these two options set on your SMTP Transport: hosts_try_dane hosts_require_dane Each of those takes a host-list, so might currently look like: hosts_try_dane = * You can change that to look like: hosts_try_dane = !*.gov.hk : * If the host-list references external files, take a look at those. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On 2020-03-25 at 13:10 -0400, Phil Pennock via Exim-users wrote: > On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: > > We recently received many of our end users complains that they are having > > problem sending email to *.gov.hk with this exim error: > > DANE ERROR: TLSA LOOKUP DEFER > > Their DNS is broken. For clarity: I did not look at any DNS records before making that statement, it was my short-form explanation of what the error message means in practice. 95+% of the time, it means "they have DNS servers which don't reply when asked for TLSA records". To get more details out of Exim, run with `-d+transport+dns` to get debugging, enabling additional debug content in the "transport" and "dns" areas. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Wed, Mar 25, 2020 at 01:10:53PM -0400, Phil Pennock via Exim-users wrote: > On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: > > We recently received many of our end users complains that they are having > > problem sending email to *.gov.hk with this exim error: > > DANE ERROR: TLSA LOOKUP DEFER > > Their DNS is broken. It would best if the OP were at liberty to post one or (ideally) more example domains, or send the examples to me off-list if preferred. > > However we have contacted our government and their responds is: > > “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup > > together with DNSSEC , so it is the exim MTA problem. We have not actually > > setup DANE “ > > Now here comes the problem: how can we solve this problem passively? We > > have many cPanel server with Exim. > > You have one of these two options set on your SMTP Transport: > > hosts_try_dane > hosts_require_dane Indeed each sender can work around the problem for themselves, but that's suboptimal if the problem is on the receiving side. Ideally, if there is breakage on the gov.hk side, we should be able to demonstrate it to them in a way that elicits action to remediate the problem. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote: > We recently received many of our end users complains that they are having > problem sending email to *.gov.hk with this exim error: > DANE ERROR: TLSA LOOKUP DEFER Their DNS is broken. > However we have contacted our government and their responds is: > “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup > together with DNSSEC , so it is the exim MTA problem. We have not actually > setup DANE “ > Now here comes the problem: how can we solve this problem passively? We have > many cPanel server with Exim. You have one of these two options set on your SMTP Transport: hosts_try_dane hosts_require_dane Each of those takes a host-list, so might currently look like: hosts_try_dane = * You can change that to look like: hosts_try_dane = !*.gov.hk : * If the host-list references external files, take a look at those. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
> On Mar 23, 2020, at 8:54 AM, daniel via Exim-users > wrote: > > We recently received many of our end users complains that they are having > problem sending email to *.gov.hk with this exim error: > DANE ERROR: TLSA LOOKUP DEFER > However we have contacted our government and their responds is: > “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup > together with DNSSEC , so it is the exim MTA problem. We have not actually > setup DANE “ > Now here comes the problem: how can we solve this problem passively? We have > many cPanel server with Exim. Would it help if one of the authors of the DANE RFC (e.g. yours truly) would write to them explaining that they are mistaken, and in fact their DNSSEC is broken, and does affect many sending domains, and it is impractical for all the senders to work around their misconfiguration. Do you have specific .gov.hk example domains you're at liberty to mention? None are on my list of domains with TLSA lookup breakage. So before I make a fool of myself writing to them (you'd have to provide a contact who'd be willing to discuss the issue in English) I'd prefer to double-check that the issue is indeed on their end. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/