Hello Viktor, >Do you have evidence that Exim is actually configured to use DANE, do >you have <https://packages.debian.org/search?keywords=libgnutls-dane0> >installed? Does anything in the logs indicate that DANE is attempted?
on my testsystem it looks like: libgnutls-dane0/stable,now 3.7.9-2+deb12u3 amd64 [Installiert,automatisch] my production system looks like: libgnutls-dane0/focal-updates,focal-security,now 3.6.13-2ubuntu1.11 amd64 [Installiert,automatisch] not seeing anything about dane. Regards Wolfgang ------ In Antwort auf die folgende Mail From: Viktor Dukhovni via Exim-users <exim-users@lists.exim.org> To: exim-users@lists.exim.org Cc: Subject: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS! Date: Mon, 8 Jul 2024 23:29:40 +1000 On Mon, Jul 08, 2024 at 03:02:35PM +0200, Wolfgang via Exim-users wrote: > >Perhaps the issue is as mundane as you not having a local validating > >resolver in /etc/resolv.conf, so that the destination domain looks > >unsigned to Exim? Can you post the output of: > > > $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; > > (flags|SERVER):' > > >On my system, I see: > > > $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; > > (flags|SERVER):' > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > >Note the "ad" bit in the response *flags*, and "127.0.0.1" for the > >*SERVER*. I have a validating local resolver. > > I checked into that already also. First I used my own nameserver, > where the output just looks as yours. > dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; > (flags|SERVER):' > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) But does *glibc* strip the AD bit when processing the response? Do you have "options trust-ad" in /etc/resolv.conf? > But later I changed to to the nameservers from my hoster, where the output > looks like this: > dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; > (flags|SERVER):' > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 6 > ;; SERVER: 185.12.64.1#53(185.12.64.1) (UDP) And DANE is pretty pointless if you're trusting the AD from a server far away. To get meaningful security, you need a server you control that you can reach via the loopback interface or a "very private" LAN. > So that can't be the cause from my knowledge point. Do you have evidence that Exim is actually configured to use DANE, do you have <https://packages.debian.org/search?keywords=libgnutls-dane0> installed? Does anything in the logs indicate that DANE is attempted? > >DANE is not actually taking place. > > All I can see is, that DANE takes place (for the OpenSSL based exim), > as I pass the test from https://blog.lindenberg.one/EmailSecurityTest But you also reported that the OpenSSL version did not send SNI, which is not consistent with that claim. -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/