Re: [exim] recipient DNSSEC validation question for exim 4.8…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Mark Elkins
Data:  
Para: exim-users
Asunto: Re: [exim] recipient DNSSEC validation question for exim 4.88 with exp DANE support
I don't see the AD bit being set in your example?

It is however set when I ask a DNSSEC aware resolver. Which Resolver are
you asking? You localhost (127.0.0.1) may not be DNSSEC aware.

# dig mx4.unitybox.de +dnssec +multi

; <<>> DiG 9.9.5 <<>> mx4.unitybox.de +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30525
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9


On 08/02/2017 14:04, Fasan, Stefan via Exim-users wrote:
> Greetings
>
> Testing DANE with exim 4.88 and having issues. I'll attach my exim.conf at the end of this mail. What am I missing here? Exim doesn't seem to be able to resolve DNSSEC at all despite using a local pdns-recursor that returns good DNSSEC signatures. I'd greatly appreciate any ideas that would point me in the right direction as I seem to be completely stuck with this problem!
>
> Running CentOS6.7
>
> 1) Exim 4.88 compiled with EXPERIMENTAL_dane = yes
> 2) Using local pdns-recursor 4.x, dig returns good DNSSEC signature:
>
> dig mx4.unitybox.de +dnssec +multi
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> mx4.unitybox.de +dnssec +multi
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13137
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;mx4.unitybox.de.       IN A

>
> ;; ANSWER SECTION:
> mx4.unitybox.de.        1998 IN A 80.69.98.122
> mx4.unitybox.de.        1998 IN RRSIG A 8 3 3600 20170219230330 (
>                                 20170120222301 19254 unitybox.de.
>                                 HPtLSwDpOuhtlt8t/4Jdve+yghm4jnOnrxnL31KU9bjl
>                                 xHdOK9XgQOrEaL0R20oNOIILwp226V+EJil1wl1teX0y
>                                 51DivOWZzypUO9pGJjucjjxtPAPha23gGICxCqoZVLap
>                                 YXcwD71vp0fiHdwpm6Qz8c2NnH56Pa78GABxhAiidznt
>                                 FVZLi280xxgV7Viqcfw16RIsuDfr54b6b8nb2qXa4peF
>                                 1F7zvjcCP62eGOskuvUr586ZFJZdpX5O4/aJgHwjWq7f
>                                 Zk3jvC3HSgCPXpmWx2/Yvzq8CFBNnClC1Ls8ctHpHAj2
>                                 9pc19EwQeoMEQrAVt9iXnUujVzHc4OvAzg== )

>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Feb 8 12:51:35 2017
> ;; MSG SIZE rcvd: 359
>
> 3) Exim fails to see DNSSEC for this example domain and returns "** mig.test.9@??? R=dnslookup T=remote_smtp: DANE error: mx4.unitybox.de lookup not DNSSEC"
> 4) resolv.conf only contains 127.0.0.1 (local pdns-recursor)
> 5) Here is my exim.conf. it's a bit messy because I use it for testing in a DEV environment at the moment.
>
>
> ##########
> ## MAIN ##
> ##########
>
> local_interfaces = 172.31.111.107
> primary_hostname = *********
> smtp_banner = "${primary_hostname******"
> domainlist local_domains = @ : localhost : localhost.localdomain
> domainlist relay_to_domains = *
> hostlist relay_from_hosts = 127.0.0.1 : 172.31.111.0/24
> #acl_smtp_mail = acl_check_mail
> acl_smtp_rcpt = acl_check_rcpt
> acl_smtp_data = acl_check_data
> #acl_smtp_mime = acl_check_mime
> tls_certificate = /etc/pki/tls/certs/exim.pem
> tls_privatekey = /etc/pki/tls/private/exim.pem
> daemon_smtp_ports = 25
> never_users = root
> auth_advertise_hosts =
> rfc1413_hosts = *
> rfc1413_query_timeout = 0s
> ignore_bounce_errors_after = 3h
> timeout_frozen_after = 3h
> message_size_limit = 35M
> smtp_return_error_details=yes
> smtp_accept_max = 1000
> smtp_accept_queue_per_connection = 1500
> log_selector = +dnssec -queue_run
> log_file_path = /var/log/exim/%s-%D.log
> keep_environment =
> ### testing DANE support here
> dns_dnssec_ok = 1
>
> #########
> ## ACL ##
> #########
>
> begin acl
> acl_check_mail:
>   deny condition = ${if eq{$sender_helo_name}{} {1}}
>        message = Nice boys say HELO first

>
> acl_check_rcpt:
> #  accept  hosts = :
> #          control = dkim_disable_verify

>
> #  deny    message       = Restricted characters in address
> #          domains       = +local_domains
> #          local_parts   = ^[.] : ^.*[@%!/|]
> #  deny    message       = Restricted characters in address
> #          domains       = !+local_domains
> #          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

>
> #  accept  local_parts   = postmaster
> #          domains       = +local_domains
> #  accept  hosts         = +relay_from_hosts
> #          control       = submission
> #          control       = dkim_disable_verify
> #  accept  authenticated = *
> #          control       = submission
> #          control       = dkim_disable_verify
> #  require message = relay not permitted
> #          domains = +local_domains : +relay_to_domains
>   accept

>
> acl_check_data:
> accept
>
> acl_check_mime:
> accept
>
>
> #############
> ## ROUTERS ##
> #############
>
> begin routers
> bounce:
>   driver    = manualroute
>   condition = ${if eq{$sender_address}{$bounce_recipient}}
>   transport = bounce_transport
>   route_list = * 172.31.111.119
>   #route_data = 172.31.218.242
>   pass_on_timeout
>   no_more
> dnslookup:
>   driver = dnslookup
>   domains = ! +local_domains
>   transport = remote_smtp
>   dnssec_request_domains = *
>   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>   pass_on_timeout
> #  fallback_hosts = 172.31.111.119
>   no_more
> #fallback_DNS_timeout:
> #  driver = manualroute
> #  route_data = 172.31.111.119
> #  transport = remote_smtp
> #  no_more

>
> system_aliases:
> driver = redirect
> allow_fail
> allow_defer
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> file_transport = address_file
> pipe_transport = address_pipe
> userforward:
> driver = redirect
> check_local_user
> file = $home/.forward
> allow_filter
> no_verify
> no_expn
> check_ancestor
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
> procmail:
> driver = accept
> check_local_user
> require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
> transport = procmail
> no_verify
> localuser:
> driver = accept
> check_local_user
> transport = local_delivery
> cannot_route_message = Unknown user
>
>
> ################
> ## TRANSPORTS ##
> ################
>
> begin transports
> bounce_transport:
> driver = smtp
> remote_smtp:
> driver = smtp
> connection_max_messages = 5
> ### testing DANE here
> hosts_require_dane = *
> procmail:
> driver = pipe
> command = "/usr/bin/procmail -d $local_part"
> return_path_add
> delivery_date_add
> envelope_to_add
> user = $local_part
> initgroups
> return_output
> local_delivery:
> driver = appendfile
> file = /var/mail/$local_part
> delivery_date_add
> envelope_to_add
> return_path_add
> group = mail
> mode = 0660
> address_pipe:
> driver = pipe
> return_output
> address_file:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
> address_reply:
> driver = autoreply
>
> ##################
> ## RETRY & MISC ##
> ##################
>
> begin retry
> *    *    F,8h,5m;
> begin rewrite
> begin authenticators

>
>
>
> Best Regards,
>
> --
> Stefan Fasan
>
> Information gemäß § 14 Unternehmensgesetzbuch: UPC Austria GmbH, Firmensitz: Wolfganggasse 58-60, 1120 Wien, Firmenbuchnummer: FN 251865s, Handelsgericht Wien.


-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje@???       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za