[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni via Exim-users
Dátum:  
Címzett: exim-users
Tárgy: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
On Mon, Jul 08, 2024 at 03:02:35PM +0200, Wolfgang via Exim-users wrote:

> >Perhaps the issue is as mundane as you not having a local validating
> >resolver in /etc/resolv.conf, so that the destination domain looks
> >unsigned to Exim? Can you post the output of:
>
> >    $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'

>
> >On my system, I see:
>
> >    $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> >    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> >    ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> >Note the "ad" bit in the response *flags*, and "127.0.0.1" for the
> >*SERVER*. I have a validating local resolver.

>
> I checked into that already also. First I used my own nameserver,
> where the output just looks as yours.
> dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)


But does *glibc* strip the AD bit when processing the response? Do you
have "options trust-ad" in /etc/resolv.conf?

> But later I changed to to the nameservers from my hoster, where the output looks like this:
> dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 6
> ;; SERVER: 185.12.64.1#53(185.12.64.1) (UDP)


And DANE is pretty pointless if you're trusting the AD from a server far
away. To get meaningful security, you need a server you control that
you can reach via the loopback interface or a "very private" LAN.

> So that can't be the cause from my knowledge point.


Do you have evidence that Exim is actually configured to use DANE, do
you have <https://packages.debian.org/search?keywords=libgnutls-dane0>
installed? Does anything in the logs indicate that DANE is attempted?

> >DANE is not actually taking place.
>
> All I can see is, that DANE takes place (for the OpenSSL based exim),
> as I pass the test from https://blog.lindenberg.one/EmailSecurityTest


But you also reported that the OpenSSL version did not send SNI, which
is not consistent with that claim.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/