On 02/08/2017 01:04 PM, Fasan, Stefan via Exim-users wrote:
> Greetings
>
> Testing DANE with exim 4.88 and having issues. I'll attach my exim.conf at the end of this mail. What am I missing here? Exim doesn't seem to be able to resolve DNSSEC at all despite using a local pdns-recursor that returns good DNSSEC signatures. I'd greatly appreciate any ideas that would point me in the right direction as I seem to be completely stuck with this problem!
Hello Stefan,
i was having a similar issue in the past.
When i switched from pdns-recursor to unbound everything worked.
If you look at your flags:
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
compared with my dig a bit later
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
you can see that the "ad" flag is set.
That is an indication that dnssec was proved by the resolver.
I am not sure if pdns-recursor in a newer version is able to resolve
including that "ad" flag.
May be you just try unbound as a resolver.
With unbound as a resolver my dig shows:
dig mx4.unitybox.de +dnssec +multi
; <<>> DiG 9.10.3-P4-Debian <<>> mx4.unitybox.de +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58977
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mx4.unitybox.de. IN A
;; ANSWER SECTION:
mx4.unitybox.de. 3600 IN A 80.69.98.122
mx4.unitybox.de. 3600 IN RRSIG A 8 3 3600 (
20170219230330 20170120222301 19254 unitybox.de.
HPtLSwDpOuhtlt8t/4Jdve+yghm4jnOnrxnL31KU9bjl
xHdOK9XgQOrEaL0R20oNOIILwp226V+EJil1wl1teX0y
51DivOWZzypUO9pGJjucjjxtPAPha23gGICxCqoZVLap
YXcwD71vp0fiHdwpm6Qz8c2NnH56Pa78GABxhAiidznt
FVZLi280xxgV7Viqcfw16RIsuDfr54b6b8nb2qXa4peF
1F7zvjcCP62eGOskuvUr586ZFJZdpX5O4/aJgHwjWq7f
Zk3jvC3HSgCPXpmWx2/Yvzq8CFBNnClC1Ls8ctHpHAj2
9pc19EwQeoMEQrAVt9iXnUujVzHc4OvAzg== )
;; Query time: 50 msec
;; SERVER:
2a00:dca0:100:5:dead:face:beef:babe#53(2a00:dca0:100:5:dead:face:beef:babe)
;; WHEN: Wed Feb 08 13:26:06 CET 2017
;; MSG SIZE rcvd: 359
Regards Torsten
>
> Running CentOS6.7
>
> 1) Exim 4.88 compiled with EXPERIMENTAL_dane = yes
> 2) Using local pdns-recursor 4.x, dig returns good DNSSEC signature:
>
> dig mx4.unitybox.de +dnssec +multi
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> mx4.unitybox.de +dnssec +multi
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13137
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;mx4.unitybox.de. IN A
>
> ;; ANSWER SECTION:
> mx4.unitybox.de. 1998 IN A 80.69.98.122
> mx4.unitybox.de. 1998 IN RRSIG A 8 3 3600 20170219230330 (
> 20170120222301 19254 unitybox.de.
> HPtLSwDpOuhtlt8t/4Jdve+yghm4jnOnrxnL31KU9bjl
> xHdOK9XgQOrEaL0R20oNOIILwp226V+EJil1wl1teX0y
> 51DivOWZzypUO9pGJjucjjxtPAPha23gGICxCqoZVLap
> YXcwD71vp0fiHdwpm6Qz8c2NnH56Pa78GABxhAiidznt
> FVZLi280xxgV7Viqcfw16RIsuDfr54b6b8nb2qXa4peF
> 1F7zvjcCP62eGOskuvUr586ZFJZdpX5O4/aJgHwjWq7f
> Zk3jvC3HSgCPXpmWx2/Yvzq8CFBNnClC1Ls8ctHpHAj2
> 9pc19EwQeoMEQrAVt9iXnUujVzHc4OvAzg== )
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Feb 8 12:51:35 2017
> ;; MSG SIZE rcvd: 359
>
> 3) Exim fails to see DNSSEC for this example domain and returns "** mig.test.9@??? R=dnslookup T=remote_smtp: DANE error: mx4.unitybox.de lookup not DNSSEC"
> 4) resolv.conf only contains 127.0.0.1 (local pdns-recursor)
> 5) Here is my exim.conf. it's a bit messy because I use it for testing in a DEV environment at the moment.
>
>
> ##########
> ## MAIN ##
> ##########
>
> local_interfaces = 172.31.111.107
> primary_hostname = *********
> smtp_banner = "${primary_hostname******"
> domainlist local_domains = @ : localhost : localhost.localdomain
> domainlist relay_to_domains = *
> hostlist relay_from_hosts = 127.0.0.1 : 172.31.111.0/24
> #acl_smtp_mail = acl_check_mail
> acl_smtp_rcpt = acl_check_rcpt
> acl_smtp_data = acl_check_data
> #acl_smtp_mime = acl_check_mime
> tls_certificate = /etc/pki/tls/certs/exim.pem
> tls_privatekey = /etc/pki/tls/private/exim.pem
> daemon_smtp_ports = 25
> never_users = root
> auth_advertise_hosts =
> rfc1413_hosts = *
> rfc1413_query_timeout = 0s
> ignore_bounce_errors_after = 3h
> timeout_frozen_after = 3h
> message_size_limit = 35M
> smtp_return_error_details=yes
> smtp_accept_max = 1000
> smtp_accept_queue_per_connection = 1500
> log_selector = +dnssec -queue_run
> log_file_path = /var/log/exim/%s-%D.log
> keep_environment =
> ### testing DANE support here
> dns_dnssec_ok = 1
>
> #########
> ## ACL ##
> #########
>
> begin acl
> acl_check_mail:
> deny condition = ${if eq{$sender_helo_name}{} {1}}
> message = Nice boys say HELO first
>
> acl_check_rcpt:
> # accept hosts = :
> # control = dkim_disable_verify
>
> # deny message = Restricted characters in address
> # domains = +local_domains
> # local_parts = ^[.] : ^.*[@%!/|]
> # deny message = Restricted characters in address
> # domains = !+local_domains
> # local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
>
> # accept local_parts = postmaster
> # domains = +local_domains
> # accept hosts = +relay_from_hosts
> # control = submission
> # control = dkim_disable_verify
> # accept authenticated = *
> # control = submission
> # control = dkim_disable_verify
> # require message = relay not permitted
> # domains = +local_domains : +relay_to_domains
> accept
>
> acl_check_data:
> accept
>
> acl_check_mime:
> accept
>
>
> #############
> ## ROUTERS ##
> #############
>
> begin routers
> bounce:
> driver = manualroute
> condition = ${if eq{$sender_address}{$bounce_recipient}}
> transport = bounce_transport
> route_list = * 172.31.111.119
> #route_data = 172.31.218.242
> pass_on_timeout
> no_more
> dnslookup:
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp
> dnssec_request_domains = *
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> pass_on_timeout
> # fallback_hosts = 172.31.111.119
> no_more
> #fallback_DNS_timeout:
> # driver = manualroute
> # route_data = 172.31.111.119
> # transport = remote_smtp
> # no_more
>
> system_aliases:
> driver = redirect
> allow_fail
> allow_defer
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> file_transport = address_file
> pipe_transport = address_pipe
> userforward:
> driver = redirect
> check_local_user
> file = $home/.forward
> allow_filter
> no_verify
> no_expn
> check_ancestor
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
> procmail:
> driver = accept
> check_local_user
> require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
> transport = procmail
> no_verify
> localuser:
> driver = accept
> check_local_user
> transport = local_delivery
> cannot_route_message = Unknown user
>
>
> ################
> ## TRANSPORTS ##
> ################
>
> begin transports
> bounce_transport:
> driver = smtp
> remote_smtp:
> driver = smtp
> connection_max_messages = 5
> ### testing DANE here
> hosts_require_dane = *
> procmail:
> driver = pipe
> command = "/usr/bin/procmail -d $local_part"
> return_path_add
> delivery_date_add
> envelope_to_add
> user = $local_part
> initgroups
> return_output
> local_delivery:
> driver = appendfile
> file = /var/mail/$local_part
> delivery_date_add
> envelope_to_add
> return_path_add
> group = mail
> mode = 0660
> address_pipe:
> driver = pipe
> return_output
> address_file:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
> address_reply:
> driver = autoreply
>
> ##################
> ## RETRY & MISC ##
> ##################
>
> begin retry
> * * F,8h,5m;
> begin rewrite
> begin authenticators
>
>
>
> Best Regards,
>
> --
> Stefan Fasan
>
> Information gemäß § 14 Unternehmensgesetzbuch: UPC Austria GmbH, Firmensitz: Wolfganggasse 58-60, 1120 Wien, Firmenbuchnummer: FN 251865s, Handelsgericht Wien.
>
--
Torsten
