[exim-dev] [Bug 2704] DANE client-side documentation issues

Sat, 27 Feb 2021 23:07:11 -0800 

https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #3 from Andreas Metzler <[email protected]> ---
(In reply to Jeremy Harris from comment #1)
[...]
> > If host matches hosts_require_dane   # DANE "requested"
>                                                ^^^ no, required
> 
> >         skip host (i.e. bounce mail if it is the only MX)
>                     ^^^ fail the router.  Bounces depend on other
> considerations
> >        else GOTO regular_TLS
>                    ^^^ No.
>                    " If it does not, the host will not be used; there is no
> fallback to non-DANE or non-TLS. " - chapter 43.

Hello,

This quoting was too selective. - Could you please post a corrected
clomplete pseudocode? I cannot specify exactly what is wrong/unclear
with the documentation (and come up with a patch) unless I have an
understanding of what exim actually does.


As I wrote, chapter 43 is exactly what I looked at and what was not that
helpful. ;-) Just for illustration, while keeping in mind that
"hosts_try_dane" defaults to *:

| A TLSA lookup will be done if either of the above options match and the
| host-lookup succeeded using DNSSEC.  If a TLSA lookup is done and
| succeeds, a DANE-verified TLS connection will be required for the host.
| If it does not, the host will not be used; there is no fallback to
| non-DANE or non-TLS.

Which translates to
if ( (hosts_require_dane OR hosts_try_dane)
     AND successful DNSSEC host-lookup) {
       check for TLSA record
       if there is a TLSA record
          require DANE-verified TLS connection
       else /* reading "If it does not" as "no TLSA found" */
          skip host

So if this sentence was correct then exim would not deliver to hosts
with dnssec but without DANE (if exim uses dnssec). Which is not what
725900cda2676bad205fb9ff44e563332766479e says about hosts_try_dane:

| If built with DANE support, Exim will look up a TLSA record for any host
| matching the list, If one is found and that lookup was DNSSEC-validated,
| then Exim requires that a DANE-verified TLS connection is made for that
| host; there will be no fallback to in-clear communication.

if (hosts_try_dane AND successful DNSSEC host-lookup) {
       check for DNSSECed TLSA record
       if there is a DNSSECed TLSA record
          require DANE-verified TLS connection
       else /* no TLSA */
          regular TLS

TIA, cu Andreas

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to