On 5/17/23 1:04 AM, Patrick Cernko via Exim-users wrote:
> Hi list,
>
> I just wanted to publish my forked version of Jeff Forsyth's MTASTS-EXIM-PERL solution. In addition
> to some fixes, it also provides a reporting tool for TLSRPT reports (RFC 8460). Reporting is done by
> analyzing the database created by the Perl hooks and the Exim log files.
>
> https://gitlab.mpi-klsb.mpg.de/pcernko/MTASTS-EXIM-PERL
Taking a glance at the Mail::STS library that this seems to use, I'm skeptical this properly
implements DANE fallback.
It looks like it will return a DANE-enforcement policy if the "primary" MX (which seems to just be
the first - I assume it sorts by priority but its entirely unclear to me) has a TLSA record. This
ignores whether the TLSA record has a type that exim can/will enforce, ignores whether any secondary
MX's have TLSA records, and seems to even ignore whether the TLSA record is properly DNSSEC-signed
(though my perl-readability is pretty poor).
This can cause delivery failure for any number of reasons if the dane-enforcement flag returned
doesn't match exim's ability to enforce DANE.
Because of the complexity of exactly matching exim's DANE policy, its almost certainly better to
avoid MTA-STS unless your MTA has native support for it (which no popular ones do - its a rube
goldberg machine of nonsense). The postfix-mta-sts package has even worse behavior than this.
MTA-STS is mostly a google thing anyway, just set your tls_enforce to *.gmail/google and let DANE
take care of the rest :)
Matt
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/