[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Góra strony
Delete this message
Reply to this message
Autor: Wolfgang
Data:  
Dla: exim-users
Temat: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
Hello Viktor,

thanks for your valuable assistance.

>Author: Viktor Dukhovni via Exim-users
>Date: 2024-07-08 04:30 +200
>To: exim-users
>Old-Topics: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!, [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!, [exim] Re: Problems with outgoing DANE-TLSA, when CA-anchored test fails, [exim] no SNI used, when sending TLS secured messages out
>Subject: [exim] Re: Debug TLS/DANE problems



>Perhaps the issue is as mundane as you not having a local validating
>resolver in /etc/resolv.conf, so that the destination domain looks
>unsigned to Exim? Can you post the output of:


>    $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'


>On my system, I see:


>    $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
>    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>    ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>Note the "ad" bit in the response *flags*, and "127.0.0.1" for the
>*SERVER*. I have a validating local resolver.



I checked into that already also. First I used my own nameserver, where the output just looks as
yours.
dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
But later I changed to to the nameservers from my hoster, where the output looks like this:
dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 6
;; SERVER: 185.12.64.1#53(185.12.64.1) (UDP)

So that can't be the cause from my knowledge point.

>Or, more likely, you're not using DANE at all, either because it is not
>enabled in your Exim configuration, or because you don't have a
>validating local resolver in /etc/resolv.conf, or it does have
>"options trust-ad" (needed on recent glic systems).


>Which then leads to no default SNI, and then to the problematic
>keyUsage.


>DANE is not actually taking place.


All I can see is, that DANE takes place (for the OpenSSL based exim), as I pass the test from https://blog.lindenberg.one/EmailSecurityTest

Analysis

Mailserver (Prio)
Adresse(n)
Aussteller Rootzertifikat
DNSSEC
STARTTLS
TLS Version
Zertifikat
Passende TLSA
MTA-STS

mx.sub.myDomain.de (10)
159.69.xx.xx
ISRG Root X1
Mx, A, Tlsa
Success
1.3
Trustworthy
Ok
No Policy
?
Obligatorische Transportverschlüsselung



?
?



?
Qualifizierte Transportverschlüsselung


?
?
?



?
RFC 7672 SMTP-DANE


?
?
?

?

?
RFC 8461 MTA-STS



?
?
?

?

Summary


?
?
?
?
?
?

Netzwerkinformationen









My mailserver avoided untrusted certs, but was sending to the TLSA-trusted cert.


>> I did a tcpdump on my test environment, sending mails to a couple of domains, DANE secure, without
>> DANE, but enforcing STARTTLS and such, allowing STARTTLS.
>> I did this three times, using different compiled exims for the same configuration:
>> - the distribution original exim "Exim version 4.96"
>> - my own compiled exim with OpenSSL-GNU from debian "Exim version 4.97.1"
>> - my own compiled exim with self compiled "openssl-3.3.1" "Exim version 4.97.1"
>> all connections were established without using SNI, just a plain "Client Hello" in the dump!


>> Two servers with "Exim version 4.93" are also not sending SNI in TLS.


>You really should have included the "Transport Layer Security" portion
>of the packet that includes the TLS Client Hello. But if the problem
>is at the DNS layer, this is not surprising, so perhaps not needed.


I enclose two full logs, one with the GNU-TLS Version of exim and the other with the OpenSSL Version



>--
>    Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/