[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Viktor Dukhovni via Exim-users
Data:  
Para: exim-users
Assunto: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
On Mon, Jul 08, 2024 at 03:22:50PM +0000, Slavko via Exim-users wrote:

> >I checked into that already also. First I used my own nameserver, where the output just looks as
> >yours.
> > dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>
> AFAIK, the dig doesn't use system resolver at all, it only can get nameserver
> address from /etc/resolv.conf, and all DNS stuff does by self. In other words,
> exim can see different results than dig shows.


Yes, probing with "dig" is a deliberate choice. What we've established
is that there is likely alocal validating resolver available. What
remains to determine is whether the AD bit gets all the way through to
glibc applications ("options trust-ad" is on), and whether Exim is
configured to enable DANE, and whether GnuTLS DANE support is present.

It is very frustrating that the OP is unable or unwilling to respond to
all the questions raised in upthread posts, instead cherry-picking just
one or some of the questions to respond to, until recently, presented
partial extracts rather full debug traces, ...

This drags out what should have been a quick diagnosis into a much too
long thread.

At this point, it may be useful for the OP to determine whether DNSSEC
resolution is working via glibc, by temporarily installing Postfix's
posttls-finger, and running ("dig" once more to make sure nothing's
changed on that front):

    $ dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; (flags|SERVER):'
    $ posttls-finger -Lcertmatch,summary et.lindenberg.one


Mind you, at this point from my own mail server, I'm not even seeing
"STARTTLS" offered by the MX hosts of that domain.

    $ posttls-finger "[mx06.et.lindenberg.one]"
    posttls-finger: Connected to mx06.et.lindenberg.one[2a02:247a:26d:7900::1]:25
    posttls-finger: < 220 mx01.et.lindenberg.one SecureMailAnalyzer
    posttls-finger: > EHLO [...]
    posttls-finger: < 250-mx01.et.lindenberg.one Hello [...]
    posttls-finger: < 250 HELP
    posttls-finger: > QUIT
    posttls-finger: < 221 Bye


    $ posttls-finger et.lindenberg.one
    posttls-finger: Connected to mx04.et.lindenberg.one[85.215.77.84]:25
    posttls-finger: < 220 mx01.et.lindenberg.one SecureMailAnalyzer
    posttls-finger: > EHLO [...]
    posttls-finger: < 250-mx01.et.lindenberg.one Hello [...]
    posttls-finger: < 250 HELP
    posttls-finger: > QUIT
    posttls-finger: < 221 Bye


But, from the DANE-survery (https://stats.dnssec-tools.org) server I
see:

    $ posttls-finger -c -Lsummary,certmatch "[mx06.et.lindenberg.one]"
    posttls-finger: mx06.et.lindenberg.one[2a02:247a:26d:7900::1]:25: matched peername: mx06.et.lindenberg.one
    posttls-finger: mx06.et.lindenberg.one[2a02:247a:26d:7900::1]:25: Matched DANE TA certificate at depth 1: 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
    posttls-finger: mx06.et.lindenberg.one[2a02:247a:26d:7900::1]:25: subject_CN=et.lindenberg.one, issuer_CN=R3, fingerprint=40:B8:C8:0B:7B:40:A0:16:1A:67:C1:21:AE:5F:68:BA:B7:E5:3E:60:4D:63:1D:54:A4:3C:89:FB:41:D9:4A:1E, pkey_fingerprint=09:91:7D:71:47:73:FD:D2:4D:79:94:3B:4A:43:DD:50:46:C3:66:93:3C:EC:77:B0:05:EC:3B:BD:8C:6F:37:59
    posttls-finger: Verified TLS connection established to mx06.et.lindenberg.one[2a02:247a:26d:7900::1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256


If "posttls-finger" is able to use DANE successfully also for the OP,
then the issue is likely not at the glibc DNS layer. If STARTTLS is
offered, but the wrong certificate is presented and the connection is
not DANE verified, then likely "options trust-ad" could be missing piece
of the puzzle.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/