[exim] Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Top Page
Delete this message
Reply to this message
Author: Wolfgang
Date:  
To: exim-users
Subject: [exim] Follow-Up: Debug TLS/DANE problems it is GnuTLS!
Hello all,

First a thanks to Viktor, for his mail with the excellent script, empowering openssl s_client!

Second a short update, what I tested here:

1) SETUP NEW CLEAN TESTENVIRONMENT
----------------------------------
I have set up a virtual server with its own sub-domain, completly DANE,DKIM,SPF equipped.
I used the most current devuan daedalus aka debian bookworm.
With this i got an "Exim version 4.93 #3 built 11-Jan-2024 13:28:33"
I kept the configuration as original as possible, just configured the only needed things.

And: The problem occured even here.
A test with this version was also unsuccesful. Exim was not able to verify the DANE-target positiv!

2) COMPILE CURRENT EXIM 4.97.1 with GNU-TLS
-------------------------------------------
Now I decided to download and compile the 4.97.1 version of exim.
In my first try, I compiled it similar to the debian 4.93, also using Gnu-TLS.

And: The problem occured even here.
A test with this version was also unsuccesful. Exim was not able to verify the DANE-target positiv!

3) COMPILE CURRENT EXIM 4.97.1 with OPENSSL (Debian Way)
--------------------------------------------------------
Now I decided to compile the 4.97.1 version of exim against Openssl. I installed libssl-dev
and compiled exim.
In my first try, this exim reported with exim -bV that it supports OpenSSL, but when starting it
productive, it claims, that GNU-TLS can't understand the CIPHERS, I changed to the OpenSSL rules.
WAIT! What?
Yes: exim reports to support OpenSSL, but under the hood it is still GNU-TLS!
https://packages.debian.org/bookworm/amd64/libssl-dev/filelist
reveals, that debian installs the expected OpenSSL header files, but they are only a wrapper to
GNU-TLS Libraries, having the expected OpenSSL names!!

Still tried this version, maybe the wrapper removed some glitches, bot NO. Still not able to
deliver!

3) COMPILE CURRENT EXIM 4.97.1 with OPENSSL NATIVE
--------------------------------------------------
Ok, now I dowloaded OpenSSL 3.3.1 as well, compiled and installed it. I afterwards build exim
againts this OpenSSL installation.

And? SUCCESS!!

Now I was able to deliver also all mails from prior test, still living in the queue.

BUT this succesful test (https://blog.lindenberg.one/EmailSecurityTest) raised another question:

I received the result, that my exim is not using SNI in STARTTLS!

In
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
I am reading:

> If DANE validated the connection attempt then the value of the tls_sni option is
> forced to the name of the destination host, after any MX- or CNAME-following.


But that seems not to be true!
Can someone point me to a solution, how I can tell exim using SNI everytime, when opening a TLS
connection? I can't imagine, that I have to do a hostname lookup before and setting $tls_in_sni.

Ok, so much for now


Regards

Wolfgang



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/