Re: [exim] How can I establish that DANE is working correctl…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] How can I establish that DANE is working correctly?

> On Apr 24, 2017, at 9:23 PM, Nicola Tiling <nti@???> wrote:
>
>
> The log shows only „CV=dane“ for >> outgoing mails:
>
> <= nti@??? … P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no … from <nti@???> for mytestaccount@???
> … => mytestaccount@??? F=<nti@???> P=<nti@???> R=dnslookup T=remote_smtp S=4354 H=mx1.mailbox.org DS [80.241.60.212]:25 I=[98.76.54.32]:42738 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=dane DN="/OU=Domain Validated Only/CN=*.mailbox.org" C="250 2.0.0 from MTA(smtp:[80.241.60.212]:10025): 250 2.0.0 Ok: queued as 84E9145C4F" QT=3s DT=2s
>
>
> << Incoming mails from mailbox.org have only "CV=no“


This is exactly as it should be. DANE authentication is asymmetric,
the client uses DANE to authenticate the server, but the server is
completely unaware of this. Either way the client performs a TLS
handshake after STARTTLS and sends a message.

Client's don't (yet) have DANE TLSA records for the server to check.
The spec for this took to long to create, and the DANE WG was closed
in the meantime. So there may not ever be such a spec. Or it might
get done once broad server adoption shows a more compelling case for
doing something in the converse direction.

-- 
    Viktor.