[exim] How can I establish that DANE is working correctly?

Góra strony
Wiadomość jest częścią wątku:
Mpełne drzewo wątku posortowane wg daty
M 
MViktor Dukhovni at ->
Delete this message
Reply to this message
Autor: Nicola Tiling
Data:  
Dla: exim-users
Temat: [exim] How can I establish that DANE is working correctly?
Hi

I’ve configured DANE for one exim mailserver but only outgoing mails seem to use dane.

1) Configured DNSSEC on bind9 for the domain where also the MX is configured and register it at the registrar. Checked against "http://dnsviz.net/d/mydomain.de/dnssec/"
Everything, A,AAAA,NS,MX,SOA have the status „secure“

2) Installed unbound as a dns resolver on the exim host and put it in /etc/resolv.conf, test also the other ns if they offered dnssec

3) Configured letsencrypt certificate and TLSA record. Checked against "https://dane.sys4.de/smtp/mydomain.de
Everything is „green“ and has a usable TLSA record.

4) Configured exim. Use swaks as smtp client and checked with openssl the SHA2-256 hash if the offered certificate has the right TLSA record.
Everything seems to be fine as tested on "dane.sys4.de"

In configure: 

    my router / dnslookup section:
         dnssec_request_domains = *


    my transport / remote_smtp section:
         dnssec_request_domains = *
         hosts_try_dane     = *
         dkim_domain        = ${lookup pgsql{DKIM_DOMAINS}}
         dkim_strict        = 0
         dkim_canon         = relaxed
         dkim_selector      = default
         dkim_private_key   = ${if exists \
           …


4) Create a test account at mailbox.org and send mails back and forth.

The log shows only „CV=dane“ for >> outgoing mails:

<= nti@??? … P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no … from <nti@???> for mytestaccount@???
… => mytestaccount@??? F=<nti@???> P=<nti@???> R=dnslookup T=remote_smtp S=4354 H=mx1.mailbox.org DS [80.241.60.212]:25 I=[98.76.54.32]:42738 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=dane DN="/OU=Domain Validated Only/CN=*.mailbox.org" C="250 2.0.0 from MTA(smtp:[80.241.60.212]:10025): 250 2.0.0 Ok: queued as 84E9145C4F" QT=3s DT=2s


<< Incoming mails from mailbox.org have only "CV=no“

SMTP connection from mx1.mailbox.org [80.241.60.212]:48647 I=[98.76.54.32]:25 closed by QUIT
DKIM: d=mailbox.org s=mail20150812 c=relaxed/simple a=rsa-sha256 b=2048 t=1493050957 [verification succeeded]
<= mytestaccount@??? H=mx1.mailbox.org [80.241.60.212]:48647 I=[98.76.54.32]:25 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no …
from <mytestaccount@???> for nti@???
=> nti <nti@???> F=< mytestaccount@???> … Completed QT=1s

Is it because dkim is also configured? How can I check exim to see what and what not happens with DANE to become more informations than have a look on the "CV=dane" log entry - which debug flags should I use - dns, resolver, transport?


Cheers
Nicola


Exim version 4.89 #0 (FreeBSD 11.0)
Support for: crypteq iconv() IPv6 use_setclassresources Perl Expand_dlfunc OpenSSL Content_Scanning DKIM DNSSEC Event I18N PRDR TCP_Fast_Open Experimental_SPF Experimental_SRS Experimental_DANE Experimental_DCC
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp






Wiadomość została wysłana do następujących list mailowych:
Exim-users
Informacja o liście mailowej | Najbliższe wiadomości		<-Re: [exim] Exim as transparent Rewrite GatewayRe: [exim] Exim as transparent Rewrite Gateway->
Tahini and Hummus and Cumin Development Archives administrowana przez cumin AdminsLurker (wersja 2.3)