On Tue, Mar 24, 2015 at 04:45:00PM +0100, Heiko Schlittermann wrote:
> begin routers
>
> default:
> driver = manualroute
> route_data = ssl.schlittermann.de
> transport = smtp
>
> begin transports
>
> smtp:
> driver = smtp
> hosts_require_dane = *
>
>
> But this setup can't use DANE, since the lookup of ssl.schlittermann.de
> doesn't seem to set the 'dnssec' flag. Even if I try to enforce dnssec,
> it doesn't work (route_data = ${lookup dnsdb{dnssec_strict,a=ssl.schlittermann.de}})
>
> I do not see any reason why I shouldn't use DANE in such a case.
> Probably the manualroute driver needs to support the
> dnssec_request_domains option too (or some similar flag)..
Note, Exim aside, you SHOULD be able to use DANE in this case, with
or without MX lookups of the manual relay setting as requested.
In Postfix this would be:
relayhost = ssl.schitterman.de
OR
relayhost = [ssl.schitterman.de]
depending on whether MX lookups should be used, and the DANE policy
would then depend on the associated transport settings. The
transport security setting is independent of how the nexthop was
determined.
Exim should be able to behave in some appropriately equivalent way.
Don't know whether this functionality exists, or requires new code.
--
Viktor.
