Hello all,
I am trying to configure Exim to try DANE before deciding to deliver
unencrypted mail to remote hosts.
My general configuration has:
dns_dnssec_ok = 1
And for the remote_smtp transport:
hosts_try_dane = *
dnssec_request_domains = *
My system dns resolver verifies dnssec, "dig do.havedane.net" has the
"ad" flag set.
Despite all this, havedane.net reports:
Email to domain with invalid DANE delivered.
I then test with requiring verification:
hosts_require_dane = *
This results in a failure for all three tests, for instance:
R=dnslookup T=remote_smtp: DANE error: do.havedane.net lookup not DNSSEC
I've confirmed I can get a DNSSEC validated record for do.havedane.net
via dig, so why does Exim suggest otherwise?
Thanks,
Dominic.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
