On 07/07/2024 17:10, Viktor Dukhovni via Exim-users wrote:
What the server's TLSA records in that case?
(testsuite syntax, but you get the gist) DNSSEC mxdane512ee MX 1 dane512ee DNSSEC dane512ee A HOSTIPV4 DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 e8173aaefffadc6c96700f7f396a17b8e590ebd15b081f1455abb152afecceb16a5534707ecd64611c8b6d8b9111f82e3fa954b98c6b230cda0e9be386747b71
Could the use of SNI depend on usage DANE-EE(3).
In this case all the TLSA records are "2 1 1". Also the TLSA records are behind a CNAME
With a (single) 2 1 1 TLSA behind a CNAME, we still record an SNI having been presented: DNSSEC mxdane256tak MX 1 dane256tak DNSSEC dane256tak A HOSTIPV4 DNSSEC _1225._tcp.dane256tak CNAME _tlsa._tcp.dane256tak DNSSEC _tlsa._tcp.dane256tak TLSA 2 1 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1 Server log line: 1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=e10hmba-000000005vi-0...@myhost.test.ex for t...@mxdane256tak.test.ex ^^^^^^^^^^^^^^^^^^^^^^ -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/