[exim] DANE example (Re: Exim & DANE .. status ?)

Top Page

Reply to this message
Author: Phil Pennock
Date:  
To: Exim-users
Old-Topics: [exim] Exim & DANE .. status ?
Subject: [exim] DANE example (Re: Exim & DANE .. status ?)
On 2018-05-22 at 18:09 +0200, Cyborg via Exim-users wrote:
> the german office of security ( BSI ) has given out a policy, that
> secure emailserver should have implemented DANE.
>
> So, whats the status of DANE for Exim?
>
> Any usefull selfexplaning examples at hand ? :)


Outbound or inbound? Inbound, once you have TLS configured there's
nothing to do in Exim, it's all in how you configure DNS. Viktor
provided a link to the docs:

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECDANE

For outbound delivery:

Make sure that you have a validating DNS resolver. I use Unbound.

Search for both "dnssec" and "dane" in:

https://git.exim.org/exim.git/blob/HEAD:/src/src/configure.default

That's the current default Exim configuration in Git, updated since the
last release. Future releases will have the default configuration file
enable DANE as long as Exim was compiled with support.

Relevant parts (line-numbers per "current HEAD" and might change):

228 # The setting below causes Exim to try to initialize the system resolver
229 # library with DNSSEC support. It has no effect if your library lacks
230 # DNSSEC support.
231
232 dns_dnssec_ok = 1

   596  dnslookup:
 #...
   603    dnssec_request_domains = *


   733  remote_smtp:
 #...
   736  .ifdef _HAVE_DANE
   737    dnssec_request_domains = *
   738    hosts_try_dane = *
   739  .endif


That's it. You tell Exim to try to enable DNSSEC in DNS queries, when
Routing you tell Exim to ask for DNSSEC for all domains, when delivering
you tell Exim to enable DNSSEC for all domains and to try to enable DANE
verification for all outbound connections.

If you want to enable filtered lists of hosts/domains, to work around
known brokenness, then change the `= *` to hostlist patterns in the
usual Exim way, so you can reference files etc. If you want to enable
such workarounds, then try: <https://danefail.org/>. They link to their
GitHub repository, with current lists. You'll need to automate the
updates of that.

Myself, I don't currently run commercial mail-services, so I just don't
bother exempting anyone. If someone breaks DANE, they lose inbound mail
until they fix it, and it's almost never been an issue. I think I once
saw issues in the queues of exim.org for some domain and I reached out
to them separately and it got fixed.

-Phil