Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Michael Westerburg
Date:  
To: exim-users
CC: Viktor Dukhovni
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificates
Hello Viktor,

On 09/09/2018 07:48 PM, Viktor Dukhovni via Exim-users wrote:
>
>
>> On Sep 4, 2018, at 8:26 AM, Michael Westerburg via Exim-users <exim-users@???> wrote:
>>
>> Hello Exim-users-list,
>>
>> shortly we introduced DANE but soon afterwards we detected problems
>> sending mails to domains using DANE(TA) with self signed certificates.
>> Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting:
>
> For the record, your terminology is misleading. Self-signed certificate
> is usually taken to mean that the server's certificate is not issued
> by any CA at all, and is simply signed with its own key.


thanks for the correction. This is not situation here.

> It seems you mean a "private" issuer CA, or any root CA that is not
> included in the local trust store used for non-DANE verification.


But this is. You are absolutely right. Sorry for my misleading description.

> Your report really should also be specific about which destination
> domain you're having trouble with and what the TLSA records were
> at the time.


The domain is : bayern.de

$ dig +short -t mx bayern.de
10 mail.bayern.de.
$ dig +short -t tlsa _25._tcp.mail.bayern.de.
2 0 1 32A2BC1D515CDBC412B62B47A1CCCF2BB1B8E3EF309F982458D3A7C6 1797422A
$ echo | openssl s_client -crlf -showcerts -starttls smtp -connect
mail.bayern.de:25

The last command proofs that the mail-server delivers the whole chain
which consists of a self signed certificate "CN=Bayerische DANE-CA" plus
the server certificate "CN=mail.bayern.de". By extracting the self
signed certificate from the output above one can easily confirm the
TLSA. So everything seems to be okay, except the two log messages:

2018-09-10 11:12:24.925 1fzIF5-00070c-KS DANE attempt failed; TLS
connection to mail.bayern.de [195.200.70.95]: (certificate verification
failed): certificate invalid
2018-09-10 11:12:26.128 1fzIF5-00070c-KS DANE attempt failed; TLS
connection to mail.bayern.de [195.200.70.104]: (certificate verification
failed): certificate invalid

Adding the self signed certificate to the local trust store solves the
problem.

++Michael

--
Dr. Michael Westerburg ................. http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2004
86135 Augsburg .................................. Fax. (0821) 598-2028