Bug#1075900: Exim4 in Debian can't deliver to DANE secured Mailservers
Andreas Metzler
ametzler at bebt.de
Fri Jul 12 14:48:10 BST 2024
On 2024-07-07 Wolfgang <Debian-Bug-Report at WKraft.org> wrote:
[...]
> Problem occurs in sending mails to a DANE protected MX, under certain conditions.
[...]
Hello,
I have read through all the messages on exim-user and afaict the whole
issue was diagnosed as not using DANE at all for lack of dnssec.
4cbe872a-da6f-491a-b3b5-15ba29317261 at wizmail.org From: Jeremy Harris:
| 12:41:19 21110 host mx06.et.lindenberg.one [85.215.77.84] MX=16 dnssec=no
| ^^^^^^^^^
ZovpxAvWDvXO42ln at chardros.imrryr.org by Viktor Dukhovni:
| But does glibc strip the AD bit when processing the response? Do you
| have "options trust-ad" in /etc/resolv.conf?
As another datapoint lists.gentoo.org also has a '2 1 1' TLSA record and
I can successfully deliver there with successfull dane certificate
valdation there (CV=dane in the logline). That is with a DNS resolver that
does dnssec, the respective changes to glibc resolver configuration, and
on exim's side dns_dnssec_ok.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list