On Mon, Jul 08, 2024 at 03:02:35PM +0200, Wolfgang via Exim-users wrote:
> >Perhaps the issue is as mundane as you not having a local validating
> >resolver in /etc/resolv.conf, so that the destination domain looks
> >unsigned to Exim? Can you post the output of:
>
> > $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
>
> >On my system, I see:
>
> > $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> >Note the "ad" bit in the response *flags*, and "127.0.0.1" for the
> >*SERVER*. I have a validating local resolver.
>
> I checked into that already also. First I used my own nameserver,
> where the output just looks as yours.
> dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
But does *glibc* strip the AD bit when processing the response? Do you
have "options trust-ad" in /etc/resolv.conf?
> But later I changed to to the nameservers from my hoster, where the output looks like this:
> dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 6
> ;; SERVER: 185.12.64.1#53(185.12.64.1) (UDP)
And DANE is pretty pointless if you're trusting the AD from a server far
away. To get meaningful security, you need a server you control that
you can reach via the loopback interface or a "very private" LAN.
> So that can't be the cause from my knowledge point.
Do you have evidence that Exim is actually configured to use DANE, do
you have <
https://packages.debian.org/search?keywords=libgnutls-dane0>
installed? Does anything in the logs indicate that DANE is attempted?
> >DANE is not actually taking place.
>
> All I can see is, that DANE takes place (for the OpenSSL based exim),
> as I pass the test from https://blog.lindenberg.one/EmailSecurityTest
But you also reported that the OpenSSL version did not send SNI, which
is not consistent with that claim.
--
Viktor.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/