[exim] DANE? verify = recipient/callout: DNS gets a query ab…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: Exim-users
Subject: [exim] DANE? verify = recipient/callout: DNS gets a query about _-1._tcp.<hostname>
Hello,

I've tried to setup DANE.

It works fine.
Tested: date | exim -v hs@???

2015-03-20 22:56:05 [15276] 1YZ4th-0003yO-AI <= root@??? U=root P=local S=369 M8S=0 from <root@???> for hs@???
2015-03-20 22:56:05 [15278] cwd=/var/spool/exim4 4 args: /usr/local/exim/bin/exim -v -Mc 1YZ4th-0003yO-AI
2015-03-20 22:56:08 [15278] 1YZ4th-0003yO-AI => hs@??? I=[84.19.194.10] F=<root@???> P=<root@???> R=dnslookup T=remote_smtp S=381 H=ssl.schlittermann.de [212.80.235.130]:25 X=TLSv1.2:DHE-RSA-AES256-SHA256:256 CV=dane DN="/description=D1kmXl5Dw4CO0vGH/C=DE/CN=ssl.schlittermann.de/emailAddress=postmaster@???" C="250 OK id=1YZ4tk-0005Wv-Ej" QT=3s DT=3s
2015-03-20 22:56:08 [15278] 1YZ4th-0003yO-AI Completed QT=3s


But, now I've setup "verify = recipient/callout", doesn't work anymore...
I'm testing it using swaks:

swaks -f hs@??? -t hs@??? --pipe 'exim -bhc 84.19.194.10' -q rcpt
...
>>> SMTP>> QUIT
>>> interface=NULL port=25
>>> 212.80.225.206 in hosts_require_dane? yes (matched "*")

LOG: [15308] DANE error: TLSA lookup failed

In my Bind querylog I see lookups for _-1._tcp.<mx>.

@jgh: didn't we have some similiar problem already, when some part of
the transport options black wasn't proper set up for callout
verification?


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -