Re: [exim] DANE ERROR: TLSA LOOKUP DEFER

Top Page
Delete this message
Reply to this message
Author: daniel
Date:  
To: Exim-users
Subject: Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
Hello,

Here is one example of the actual problem i have just recently tested on
the problem server without apply the option fix (source domain masked
for privacy reason):

2020-03-30 15:02:59 1jIoRn-0004MT-RH <= testtest@??? H=(vps.xxx.com)
[::1]:45888 P=esmtpa A=dovecot_login:testtest@??? S=572
id=287d2da21e9c92ef1d105bb7af95f224@??? T="test" for test@???
2020-03-30 15:02:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
1jIoRn-0004MT-RH
2020-03-30 15:02:59 1jIoRn-0004MT-RH Sender identification U=basecrea
D=xxx.com S=testtest@???
2020-03-30 15:02:59 1jIoRn-0004MT-RH SMTP connection outbound 1585551779
1jIoRn-0004MT-RH xxx.com test@???
2020-03-30 15:03:40 1jIoRn-0004MT-RH H=tidamg2.tid.gov.hk [202.38.18.3]:
DANE error: tlsa lookup DEFER
2020-03-30 15:04:20 1jIoRn-0004MT-RH H=tidamg1.tid.gov.hk [202.38.18.2]:
DANE error: tlsa lookup DEFER
2020-03-30 15:05:00 1jIoRn-0004MT-RH H=tidamg3.tid.gov.hk
[203.184.133.146]: DANE error: tlsa lookup DEFER
2020-03-30 15:05:00 1jIoRn-0004MT-RH == test@???
R=dkim_lookuphost T=dkim_remote_smtp defer (-36): DANE error: tlsa
lookup DEFER



On 2020-03-25 17:22, Viktor Dukhovni wrote:

> On Wed, Mar 25, 2020 at 01:10:53PM -0400, Phil Pennock via Exim-users

wrote:
>
> > On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote:
> > > We recently received many of our end users complains that they

are having problem sending email to *.gov.hk with this exim error:
> > > DANE ERROR: TLSA LOOKUP DEFER
> >
> > Their DNS is broken.
>
> It would best if the OP were at liberty to post one or (ideally) more
> example domains, or send the examples to me off-list if preferred.
>
> > > However we have contacted our government and their responds is:
> > > “Our DNSSEC setup is fine, and it is not nesserary to have DANE

setup together with DNSSEC , so it is the exim MTA problem. We have not
actually setup DANE “
> > > Now here comes the problem: how can we solve this problem

passively? We have many cPanel server with Exim.
> >
> > You have one of these two options set on your SMTP Transport:
> >
>
> Indeed each sender can work around the problem for themselves, but
> that's suboptimal if the problem is on the receiving side. Ideally, if
> there is breakage on the gov.hk side, we should be able to demonstrate
> it to them in a way that elicits action to remediate the problem.
>
>
>