[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Pàgina inicial
Delete this message
Reply to this message
Autor: Wolfgang
Data:  
A: Viktor Dukhovni via Exim-users
Assumpte: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
Hello Viktor,

>Do you have evidence that Exim is actually configured to use DANE, do
>you have <https://packages.debian.org/search?keywords=libgnutls-dane0>
>installed? Does anything in the logs indicate that DANE is attempted?


on my testsystem it looks like:
libgnutls-dane0/stable,now 3.7.9-2+deb12u3 amd64 [Installiert,automatisch]
my production system looks like:
libgnutls-dane0/focal-updates,focal-security,now 3.6.13-2ubuntu1.11 amd64 [Installiert,automatisch]

not seeing anything about dane.

Regards

Wolfgang





------
In Antwort auf die folgende Mail

From: Viktor Dukhovni via Exim-users <exim-users@???>
To:   exim-users@???
Cc:   
Subject: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
Date:    Mon, 8 Jul 2024 23:29:40 +1000



On Mon, Jul 08, 2024 at 03:02:35PM +0200, Wolfgang via Exim-users wrote:

> >Perhaps the issue is as mundane as you not having a local validating
> >resolver in /etc/resolv.conf, so that the destination domain looks
> >unsigned to Exim? Can you post the output of:
>
> >    $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'

>
> >On my system, I see:
>
> >    $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> >    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> >    ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> >Note the "ad" bit in the response *flags*, and "127.0.0.1" for the
> >*SERVER*. I have a validating local resolver.

>
> I checked into that already also. First I used my own nameserver,
> where the output just looks as yours.
> dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)


But does *glibc* strip the AD bit when processing the response? Do you
have "options trust-ad" in /etc/resolv.conf?

> But later I changed to to the nameservers from my hoster, where the output looks like this:
> dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 6
> ;; SERVER: 185.12.64.1#53(185.12.64.1) (UDP)


And DANE is pretty pointless if you're trusting the AD from a server far
away. To get meaningful security, you need a server you control that
you can reach via the loopback interface or a "very private" LAN.

> So that can't be the cause from my knowledge point.


Do you have evidence that Exim is actually configured to use DANE, do
you have <https://packages.debian.org/search?keywords=libgnutls-dane0>
installed? Does anything in the logs indicate that DANE is attempted?

> >DANE is not actually taking place.
>
> All I can see is, that DANE takes place (for the OpenSSL based exim),
> as I pass the test from https://blog.lindenberg.one/EmailSecurityTest


But you also reported that the OpenSSL version did not send SNI, which
is not consistent with that claim.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/