Autor: Nicola Tiling Data: Dla: exim-users Temat: Re: [exim] How can I establish that DANE is working correctly?
Hi Victor
Thanks for your answer. There is no possibility to proof if dane is working correctly for incoming mails except I have access to the server logfiles from the sending server?
Nicola
> Am 25.04.2017 um 04:52 schrieb Viktor Dukhovni <exim-users@???>:
>
>
>> On Apr 24, 2017, at 9:23 PM, Nicola Tiling <nti@???> wrote:
>>
>>
>> The log shows only „CV=dane“ for >> outgoing mails:
>>
>> <= nti@??? … P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no … from <nti@???> for mytestaccount@???
>> … => mytestaccount@??? F=<nti@???> P=<nti@???> R=dnslookup T=remote_smtp S=4354 H=mx1.mailbox.org DS [80.241.60.212]:25 I=[98.76.54.32]:42738 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=dane DN="/OU=Domain Validated Only/CN=*.mailbox.org" C="250 2.0.0 from MTA(smtp:[80.241.60.212]:10025): 250 2.0.0 Ok: queued as 84E9145C4F" QT=3s DT=2s
>>
>>
>> << Incoming mails from mailbox.org have only "CV=no“
>
> This is exactly as it should be. DANE authentication is asymmetric,
> the client uses DANE to authenticate the server, but the server is
> completely unaware of this. Either way the client performs a TLS
> handshake after STARTTLS and sends a message.
>
> Client's don't (yet) have DANE TLSA records for the server to check.
> The spec for this took to long to create, and the DANE WG was closed
> in the meantime. So there may not ever be such a spec. Or it might
> get done once broad server adoption shows a more compelling case for
> doing something in the converse direction.
