Re: [exim] DANE ERROR: TLSA LOOKUP DEFER

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Wed, Mar 25, 2020 at 01:10:53PM -0400, Phil Pennock via Exim-users wrote:

> On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote:
> > We recently received many of our end users complains that they are having problem sending email to *.gov.hk with this exim error:
> > DANE ERROR: TLSA LOOKUP DEFER
>
> Their DNS is broken.


It would best if the OP were at liberty to post one or (ideally) more
example domains, or send the examples to me off-list if preferred.

> > However we have contacted our government and their responds is:
> > “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup together with DNSSEC , so it is the exim MTA problem. We have not actually setup DANE “
> > Now here comes the problem: how can we solve this problem passively? We have many cPanel server with Exim.
>
> You have one of these two options set on your SMTP Transport:
>
>     hosts_try_dane
>     hosts_require_dane


Indeed each sender can work around the problem for themselves, but
that's suboptimal if the problem is on the receiving side. Ideally, if
there is breakage on the gov.hk side, we should be able to demonstrate
it to them in a way that elicits action to remediate the problem.

-- 
    Viktor.