On Tue, Mar 31, 2020 at 12:04:06PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/03/2020 07:50, daniel via Exim-users wrote:
> > And is exim
> > by default will try DANE on all hosts or not? Because i dont found
> > these two configs in the exim config currently.
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html#index_concept_D
Jeremy, there is perhaps a cut-n-paste error in the SMTP transport variable docs:
http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146
The text for "hosts_require_dane" and "hosts_try_dane" reads the same:
hosts_require_dane Use: smtp Type: host list† Default: unset
If built with DANE support, Exim will require that a DNSSEC-validated
TLSA record is present for any host matching the list, and that a
DANE-verified TLS connection is made. See the dnssec_request_domains
router and transport options. There will be no fallback to in-clear
communication. See section 43.15.
hosts_try_dane Use: smtp Type: host list† Default: *
If built with DANE support, Exim will require that a DNSSEC-validated
TLSA record is present for any host matching the list, and that a
DANE-verified TLS connection is made. See the dnssec_request_domains
router and transport options. There will be no fallback to in-clear
communication. See section 43.15.
But, presumably, with the "try" variant, the TLSA RRs are not actually
required, and DANE is applied only when TLSA RRs are present
(RFC7672-style opportunistic DANE TLS).
--
Viktor.
