On Wed, Jul 11, 2018 at 02:13:46PM -0400, James B. Byrne wrote:
> > Any logs they're willing to share would likely be enlightening.
>
> I will ask.
Please do, and ask for permission to post the results here or with
me off-list, but I would also need permission to share the logs
with the Exim developers, ideally on the exim-dev or exim-users
lists, so on-list would be best.
> > Do you know which MTA they're using?
>
> NMAP reports: Exim smtpd 4.91
Exim linked with OpenSSL is believed to handle DANE reasonably
correctly. Exim linked with GnuTLS is known to exhibit some warts.
In a recent TLS WG discussion Phil Pennock (one of the Exim developers,
with an apparent focus on DANE) wrote in response to me:
> For example, I recently learned that current GnuTLS
> versions by default no longer validate certificates with SHA-1
> issuer signatures, and that current versions of Exim linked with
> these GnuTLS releases fail to validate some DANE-TA(2) chains issued
> by private-CAs that still use SHA-1.
That's fine by me. Linking against GnuTLS has long had implications for
mail delivery. It blocked SSLv3 at a time when SSLv3 was still fairly
widespread in corporate circles (Exchange). Folks who care about TLS
interop for real mail-systems use OpenSSL.
It would be good to know which flavour of Exim they have. You don't
appear to be using SHA-1, indeed I see SHA512. So if the issue is
with GnuTLS, it is not the SHA-1 issue.
> When I run a DANE test against the domain that is failing to connect
> this is among the results:
That has no bearin on traffic from them to you.
> > Do they support certificate usage DANE-TA(2)? Perhaps their MTA
> > only supports DANE-EE(3) and chokes on DANE-TA(2). You could publish
> > both "3 1 1" and "2 1 1" TLSA records for each MX host, and see if
> > that resolves the issue.
>
> I will attempt that as soon as I finish the movement of our MX
> services off their current hosts and onto the new.
Exim should have working DANE-TA(2) support, when linked with
OpenSSL, in is doing DANE X.509 verification via code I contributed
that is based on the original implementation of DANE in Postfix.
When linked with GnuTLS is it using the GnuTLS DANE implementation,
whose issues may not as yet have all been uncovered.
> > If it does, the Samba list should disable DANE support until their
> > implementation is less crippled. It needs to either not enforce
> > DANE for MX hosts with just DANE-TA(2) records, or properly support
> > DANE-TA(2) records.
>
> Ah. Well, I know how welcome the news that 'one is doing something so
> wrong that one should just stop doing it' can be. I would rather
> avoid the natural antagonism such advice is likely to engender.
There are ways of communicating the message that their MTA's DANE
support is not ready for prime-time that will be gratefully accepted
(thanks for letting us know).
> My concern in this is to assure myself that our services are running
> correctly. If they are and the difficulties all lie with samba.org
> then can live without the mailing list digest for now.
I've not found any issues on your side.
--
Viktor.
