I don't see the AD bit being set in your example?
It is however set when I ask a DNSSEC aware resolver. Which Resolver are
you asking? You localhost (127.0.0.1) may not be DNSSEC aware.
# dig mx4.unitybox.de +dnssec +multi
; <<>> DiG 9.9.5 <<>> mx4.unitybox.de +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30525
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
On 08/02/2017 14:04, Fasan, Stefan via Exim-users wrote:
> Greetings
>
> Testing DANE with exim 4.88 and having issues. I'll attach my exim.conf at the end of this mail. What am I missing here? Exim doesn't seem to be able to resolve DNSSEC at all despite using a local pdns-recursor that returns good DNSSEC signatures. I'd greatly appreciate any ideas that would point me in the right direction as I seem to be completely stuck with this problem!
>
> Running CentOS6.7
>
> 1) Exim 4.88 compiled with EXPERIMENTAL_dane = yes
> 2) Using local pdns-recursor 4.x, dig returns good DNSSEC signature:
>
> dig mx4.unitybox.de +dnssec +multi
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> mx4.unitybox.de +dnssec +multi
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13137
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;mx4.unitybox.de. IN A
>
> ;; ANSWER SECTION:
> mx4.unitybox.de. 1998 IN A 80.69.98.122
> mx4.unitybox.de. 1998 IN RRSIG A 8 3 3600 20170219230330 (
> 20170120222301 19254 unitybox.de.
> HPtLSwDpOuhtlt8t/4Jdve+yghm4jnOnrxnL31KU9bjl
> xHdOK9XgQOrEaL0R20oNOIILwp226V+EJil1wl1teX0y
> 51DivOWZzypUO9pGJjucjjxtPAPha23gGICxCqoZVLap
> YXcwD71vp0fiHdwpm6Qz8c2NnH56Pa78GABxhAiidznt
> FVZLi280xxgV7Viqcfw16RIsuDfr54b6b8nb2qXa4peF
> 1F7zvjcCP62eGOskuvUr586ZFJZdpX5O4/aJgHwjWq7f
> Zk3jvC3HSgCPXpmWx2/Yvzq8CFBNnClC1Ls8ctHpHAj2
> 9pc19EwQeoMEQrAVt9iXnUujVzHc4OvAzg== )
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Feb 8 12:51:35 2017
> ;; MSG SIZE rcvd: 359
>
> 3) Exim fails to see DNSSEC for this example domain and returns "** mig.test.9@??? R=dnslookup T=remote_smtp: DANE error: mx4.unitybox.de lookup not DNSSEC"
> 4) resolv.conf only contains 127.0.0.1 (local pdns-recursor)
> 5) Here is my exim.conf. it's a bit messy because I use it for testing in a DEV environment at the moment.
>
>
> ##########
> ## MAIN ##
> ##########
>
> local_interfaces = 172.31.111.107
> primary_hostname = *********
> smtp_banner = "${primary_hostname******"
> domainlist local_domains = @ : localhost : localhost.localdomain
> domainlist relay_to_domains = *
> hostlist relay_from_hosts = 127.0.0.1 : 172.31.111.0/24
> #acl_smtp_mail = acl_check_mail
> acl_smtp_rcpt = acl_check_rcpt
> acl_smtp_data = acl_check_data
> #acl_smtp_mime = acl_check_mime
> tls_certificate = /etc/pki/tls/certs/exim.pem
> tls_privatekey = /etc/pki/tls/private/exim.pem
> daemon_smtp_ports = 25
> never_users = root
> auth_advertise_hosts =
> rfc1413_hosts = *
> rfc1413_query_timeout = 0s
> ignore_bounce_errors_after = 3h
> timeout_frozen_after = 3h
> message_size_limit = 35M
> smtp_return_error_details=yes
> smtp_accept_max = 1000
> smtp_accept_queue_per_connection = 1500
> log_selector = +dnssec -queue_run
> log_file_path = /var/log/exim/%s-%D.log
> keep_environment =
> ### testing DANE support here
> dns_dnssec_ok = 1
>
> #########
> ## ACL ##
> #########
>
> begin acl
> acl_check_mail:
> deny condition = ${if eq{$sender_helo_name}{} {1}}
> message = Nice boys say HELO first
>
> acl_check_rcpt:
> # accept hosts = :
> # control = dkim_disable_verify
>
> # deny message = Restricted characters in address
> # domains = +local_domains
> # local_parts = ^[.] : ^.*[@%!/|]
> # deny message = Restricted characters in address
> # domains = !+local_domains
> # local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
>
> # accept local_parts = postmaster
> # domains = +local_domains
> # accept hosts = +relay_from_hosts
> # control = submission
> # control = dkim_disable_verify
> # accept authenticated = *
> # control = submission
> # control = dkim_disable_verify
> # require message = relay not permitted
> # domains = +local_domains : +relay_to_domains
> accept
>
> acl_check_data:
> accept
>
> acl_check_mime:
> accept
>
>
> #############
> ## ROUTERS ##
> #############
>
> begin routers
> bounce:
> driver = manualroute
> condition = ${if eq{$sender_address}{$bounce_recipient}}
> transport = bounce_transport
> route_list = * 172.31.111.119
> #route_data = 172.31.218.242
> pass_on_timeout
> no_more
> dnslookup:
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp
> dnssec_request_domains = *
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> pass_on_timeout
> # fallback_hosts = 172.31.111.119
> no_more
> #fallback_DNS_timeout:
> # driver = manualroute
> # route_data = 172.31.111.119
> # transport = remote_smtp
> # no_more
>
> system_aliases:
> driver = redirect
> allow_fail
> allow_defer
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> file_transport = address_file
> pipe_transport = address_pipe
> userforward:
> driver = redirect
> check_local_user
> file = $home/.forward
> allow_filter
> no_verify
> no_expn
> check_ancestor
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
> procmail:
> driver = accept
> check_local_user
> require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
> transport = procmail
> no_verify
> localuser:
> driver = accept
> check_local_user
> transport = local_delivery
> cannot_route_message = Unknown user
>
>
> ################
> ## TRANSPORTS ##
> ################
>
> begin transports
> bounce_transport:
> driver = smtp
> remote_smtp:
> driver = smtp
> connection_max_messages = 5
> ### testing DANE here
> hosts_require_dane = *
> procmail:
> driver = pipe
> command = "/usr/bin/procmail -d $local_part"
> return_path_add
> delivery_date_add
> envelope_to_add
> user = $local_part
> initgroups
> return_output
> local_delivery:
> driver = appendfile
> file = /var/mail/$local_part
> delivery_date_add
> envelope_to_add
> return_path_add
> group = mail
> mode = 0660
> address_pipe:
> driver = pipe
> return_output
> address_file:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
> address_reply:
> driver = autoreply
>
> ##################
> ## RETRY & MISC ##
> ##################
>
> begin retry
> * * F,8h,5m;
> begin rewrite
> begin authenticators
>
>
>
> Best Regards,
>
> --
> Stefan Fasan
>
> Information gemäß § 14 Unternehmensgesetzbuch: UPC Austria GmbH, Firmensitz: Wolfganggasse 58-60, 1120 Wien, Firmenbuchnummer: FN 251865s, Handelsgericht Wien.
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
