[exim] DANE(TA) doesn't work with self signed certificates

Etusivu
Poista viesti
Vastaa
Lähettäjä: Michael Westerburg
Päiväys:  
Vastaanottaja: exim-users
Aihe: [exim] DANE(TA) doesn't work with self signed certificates
Hello Exim-users-list,

shortly we introduced DANE but soon afterwards we detected problems
sending mails to domains using DANE(TA) with self signed certificates.
Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting:

dns_dnssec_ok = 1

...

begin routers

...

world:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
dnssec_request_domains = *
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8

begin transports

...

remote_smtp:
driver = smtp
tls_require_ciphers = NORMAL
hosts_try_dane = *
connect_timeout = 1m

According to the logfiles Exim complains about the certificates:
"R=world T=remote_smtp defer (-37) H=xyz [1.2.3.4]: TLS session:
(certificate verification failed): certificate invalid". Even switching
to debug level doesn't give further informations. The TLSA record suits
the CA certificate and the remote server delivers the complete
certificate chain. On this side everything seems to be okay.

Once the self signed certificate is added to the operating system's
certificate store everything works fine. Contrary, after removing a well
known CA certificate from this store, sending mails to DANE aware
domains using DANE(TA) and the corresponding CA certificate fails with
the error specified above.

Any help is much appreciated. It could be Exim's DANE implementation or,
most likely, a fault in our configuration.

Kind regards

++Michael Westerburg

--
Dr. Michael Westerburg ................. http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2004
86135 Augsburg .................................. Fax. (0821) 598-2028