Greetings
Testing DANE with exim 4.88 and having issues. I'll attach my exim.conf at the end of this mail. What am I missing here? Exim doesn't seem to be able to resolve DNSSEC at all despite using a local pdns-recursor that returns good DNSSEC signatures. I'd greatly appreciate any ideas that would point me in the right direction as I seem to be completely stuck with this problem!
Running CentOS6.7
1) Exim 4.88 compiled with EXPERIMENTAL_dane = yes
2) Using local pdns-recursor 4.x, dig returns good DNSSEC signature:
dig mx4.unitybox.de +dnssec +multi
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> mx4.unitybox.de +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13137
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mx4.unitybox.de. IN A
;; ANSWER SECTION:
mx4.unitybox.de. 1998 IN A 80.69.98.122
mx4.unitybox.de. 1998 IN RRSIG A 8 3 3600 20170219230330 (
20170120222301 19254 unitybox.de.
HPtLSwDpOuhtlt8t/4Jdve+yghm4jnOnrxnL31KU9bjl
xHdOK9XgQOrEaL0R20oNOIILwp226V+EJil1wl1teX0y
51DivOWZzypUO9pGJjucjjxtPAPha23gGICxCqoZVLap
YXcwD71vp0fiHdwpm6Qz8c2NnH56Pa78GABxhAiidznt
FVZLi280xxgV7Viqcfw16RIsuDfr54b6b8nb2qXa4peF
1F7zvjcCP62eGOskuvUr586ZFJZdpX5O4/aJgHwjWq7f
Zk3jvC3HSgCPXpmWx2/Yvzq8CFBNnClC1Ls8ctHpHAj2
9pc19EwQeoMEQrAVt9iXnUujVzHc4OvAzg== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 8 12:51:35 2017
;; MSG SIZE rcvd: 359
3) Exim fails to see DNSSEC for this example domain and returns "** mig.test.9@??? R=dnslookup T=remote_smtp: DANE error: mx4.unitybox.de lookup not DNSSEC"
4) resolv.conf only contains 127.0.0.1 (local pdns-recursor)
5) Here is my exim.conf. it's a bit messy because I use it for testing in a DEV environment at the moment.
##########
## MAIN ##
##########
local_interfaces = 172.31.111.107
primary_hostname = *********
smtp_banner = "${primary_hostname******"
domainlist local_domains = @ : localhost : localhost.localdomain
domainlist relay_to_domains = *
hostlist relay_from_hosts = 127.0.0.1 : 172.31.111.0/24
#acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
#acl_smtp_mime = acl_check_mime
tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem
daemon_smtp_ports = 25
never_users = root
auth_advertise_hosts =
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 3h
timeout_frozen_after = 3h
message_size_limit = 35M
smtp_return_error_details=yes
smtp_accept_max = 1000
smtp_accept_queue_per_connection = 1500
log_selector = +dnssec -queue_run
log_file_path = /var/log/exim/%s-%D.log
keep_environment =
### testing DANE support here
dns_dnssec_ok = 1
#########
## ACL ##
#########
begin acl
acl_check_mail:
deny condition = ${if eq{$sender_helo_name}{} {1}}
message = Nice boys say HELO first
acl_check_rcpt:
# accept hosts = :
# control = dkim_disable_verify
# deny message = Restricted characters in address
# domains = +local_domains
# local_parts = ^[.] : ^.*[@%!/|]
# deny message = Restricted characters in address
# domains = !+local_domains
# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
# accept local_parts = postmaster
# domains = +local_domains
# accept hosts = +relay_from_hosts
# control = submission
# control = dkim_disable_verify
# accept authenticated = *
# control = submission
# control = dkim_disable_verify
# require message = relay not permitted
# domains = +local_domains : +relay_to_domains
accept
acl_check_data:
accept
acl_check_mime:
accept
#############
## ROUTERS ##
#############
begin routers
bounce:
driver = manualroute
condition = ${if eq{$sender_address}{$bounce_recipient}}
transport = bounce_transport
route_list = * 172.31.111.119
#route_data = 172.31.218.242
pass_on_timeout
no_more
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
dnssec_request_domains = *
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
pass_on_timeout
# fallback_hosts = 172.31.111.119
no_more
#fallback_DNS_timeout:
# driver = manualroute
# route_data = 172.31.111.119
# transport = remote_smtp
# no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
transport = procmail
no_verify
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
################
## TRANSPORTS ##
################
begin transports
bounce_transport:
driver = smtp
remote_smtp:
driver = smtp
connection_max_messages = 5
### testing DANE here
hosts_require_dane = *
procmail:
driver = pipe
command = "/usr/bin/procmail -d $local_part"
return_path_add
delivery_date_add
envelope_to_add
user = $local_part
initgroups
return_output
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
##################
## RETRY & MISC ##
##################
begin retry
* * F,8h,5m;
begin rewrite
begin authenticators
Best Regards,
--
Stefan Fasan
Information gemäß § 14 Unternehmensgesetzbuch: UPC Austria GmbH, Firmensitz: Wolfganggasse 58-60, 1120 Wien, Firmenbuchnummer: FN 251865s, Handelsgericht Wien.
