Hello,
I've tried to setup DANE.
It works fine.
Tested: date | exim -v hs@???
2015-03-20 22:56:05 [15276] 1YZ4th-0003yO-AI <= root@??? U=root P=local S=369 M8S=0 from <root@???> for hs@???
2015-03-20 22:56:05 [15278] cwd=/var/spool/exim4 4 args: /usr/local/exim/bin/exim -v -Mc 1YZ4th-0003yO-AI
2015-03-20 22:56:08 [15278] 1YZ4th-0003yO-AI => hs@??? I=[84.19.194.10] F=<root@???> P=<root@???> R=dnslookup T=remote_smtp S=381 H=ssl.schlittermann.de [212.80.235.130]:25 X=TLSv1.2:DHE-RSA-AES256-SHA256:256 CV=dane DN="/description=D1kmXl5Dw4CO0vGH/C=DE/CN=ssl.schlittermann.de/emailAddress=postmaster@???" C="250 OK id=1YZ4tk-0005Wv-Ej" QT=3s DT=3s
2015-03-20 22:56:08 [15278] 1YZ4th-0003yO-AI Completed QT=3s
But, now I've setup "verify = recipient/callout", doesn't work anymore...
I'm testing it using swaks:
swaks -f hs@??? -t hs@??? --pipe 'exim -bhc 84.19.194.10' -q rcpt
...
>>> SMTP>> QUIT
>>> interface=NULL port=25
>>> 212.80.225.206 in hosts_require_dane? yes (matched "*")
LOG: [15308] DANE error: TLSA lookup failed
In my Bind querylog I see lookups for _-1._tcp.<mx>.
@jgh: didn't we have some similiar problem already, when some part of
the transport options black wasn't proper set up for callout
verification?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
