Re: [exim] Next Exim release

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Next Exim release
On 04/12/15 17:57, Mark Elkins wrote:
> Would like to see a working config example of DANE too... ;-)


Client side, set hosts_try_dane = * on your smtp transports,
unless you have specific targets known to not work.

Server side, first get DNSSEC going. That's the hard part.

Then it's all DNS configuration - and there are several options.
If you want EE cert-usage (end-entity, meaning "the leaf
cert should match this") then records like this:


dane256ee            A      HOSTIPV4
_25._tcp.dane256ee TLSA  3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3


... hostname to suit, HOSTIPV4 being your actual A-record IP,
and that hash being generated by:

openssl x509 -in <CERTIFICATE-FILE> -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 \
| awk '{print $2}'




Or if you want TA cert-usage (trust-anchor, meaning "the chain should start
with a CA matching this") then

dane256ta            A      HOSTIPV4
_25._tcp.dane256ta TLSA 2 0 1 882be5ac06deafdc021a69daa457226153bfde6da7914813b0144b0fd31bf7ae


openssl x509 -in <CERTIFICATE-FILE> -fingerprint -sha256 -noout \
| awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'


... but you do need to get that CA cert into a file which is a
pain if it's not a private-CA. I need to work up a decent method
for generating a TA-mode TLSA for a random site using a public-CA.


Duplicate TLSAs for any other ports needed apart from 25.
Other variants are possible; see rfc 6698 section 2 for
details - but pretty much only EE & TA cert-usage are
useful for SMTP.
--
Cheers,
Jeremy