Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificates


> On Sep 5, 2018, at 1:56 AM, Klaus Ethgen via Exim-users <exim-users@???> wrote:
>
> I had the same problem some days ago.
>
> I do not trust any CA, so no CA is in my truststore. However, some days
> ago, I posted to lists.gentoo.org. They have a valid TLSA entry but exim
> told me that it can't be validated so the mail stuck in queue.
>
> After I enabled (themporarily) the random CA they use, I got a
> successfull delivery with the log file saying that it was validated via
> DANE.


For now, switch a version of Exim that is compiled with OpenSSL.
There's nothing wrong with your original configuration or with
gentoo.org's DANE TLSA records. The issue is that Exim with GnuTLS
does not presently seem to handle DANE-TA(2) correctly.

Abbreviated trace from my DANE survey engine (the certificate issuer
is "Let's Encrypt Authority X3"):

gentoo.org. IN MX 10 mail.gentoo.org. ; NoError AD=1
_25._tcp.mail.gentoo.org. IN CNAME postfix-tlsa.woodpecker.gentoo.org. ; NoError AD=1
postfix-tlsa.woodpecker.gentoo.org. IN CNAME generic-letsencrypt.tlsa.gentoo.org. ; NoError AD=1
generic-letsencrypt.tlsa.gentoo.org. IN TLSA 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b ; NoError AD=1
generic-letsencrypt.tlsa.gentoo.org. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1
  mail.gentoo.org[140.211.166.183]: pass: TLSA match: depth = 1, name = mail.gentoo.org
    depth = 1
      pkey sha256 [matched] <- 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
    depth = 2
      pkey sha256 [matched] <- 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b
  mail.gentoo.org[2001:470:ea4a:1:5054:ff:fec7:86e4]: pass: TLSA match: depth = 1, name = mail.gentoo.org
    depth = 1
      pkey sha256 [matched] <- 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
    depth = 2
      pkey sha256 [matched] <- 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b


-- 
-- 
    Viktor.