[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Top Pagina
Delete this message
Reply to this message
Auteur: Wolfgang
Datum:  
Aan: exim-users
Nieuwe Onderwerpen: [exim] Re: Debug TLS/DANE problems
Onderwerp: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
Thanks Viktor and Jeremy for your assistance!

So Victor just told, that the SNI problem is related to the crypto fail problem.

So for Jeremys questions:

"exim -bP transport remote_smtp | grep dane"
responds with:
dane_require_tls_ciphers =
hosts_require_dane =
hosts_try_dane = *

which should be the lowest possible configuration, as I tried to change as less than possible.

and there is no mitm or anything else. I captured with tcpdump on the outgoing interface and found
no SNI in the Client Helo

There is also nothing like appArmor or SElinux, no docker or anything like that. Its a core virtual
server with its own ip-address, no outbound firewall, nothing.

I am learning at least, that this Mail-Test seems to earn the label TEST, as I got top-level
scorings for my setup from all the usual culprits out there.

So my result so far looks like:

The connection problem seems to be somewhere in GnuTLS, as exim justs aks GNU-TLS for verification
and does no own decisions, based on GNU-TLS feedback

The problem is triggered by the fact, that my exim is not using SNI (neither with OpenSSL nor with
GNU-TLS).
As I am using in the test environment the default debian configuration, just with the minimal
modifications to make DANE and DKIM work.

regards

Wolfgang


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/