[exim] Problems with outgoing DANE-TLSA, when CA-anchored t…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Wolfgang
Datum:  
To: exim-users
Betreff: [exim] Problems with outgoing DANE-TLSA, when CA-anchored test fails
Hello,

I have problems connecting DANE configured hosts, when the MX has a correct TLSA-RR but an
valid certificate (letsencrypt) with the wrong CN.
I cases with self-signed certs and correct TLSA-RR there are no problems. With the correct CN in an
valid certificate and correct TLSA-RR everythings is also ok.

In the documentation I read:

>If DANE is requested and useable (see above) the following transport options are ignored:
> hosts_require_tls = *
> tls_verify_hosts
> tls_try_verify_hosts
> ls_verify_certificates
> ls_crl
> ls_verify_cert_hostnames
> ls_sni


and that translates to me, that DANE should have precedence, when the TLSA-RR and all other settings
match!

But that seems not the case.

What I am missing?


Thanks for any hints


Wolfgang


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/