Hi!
I'm testing the new exim 4.85 DANE support and it took only some days to
get in trouble...
One of our users tried to send mail to the domain education.lu.
Their domain and MX hosts are DNSSEC enabled and have TLSA RRs.
The DANE validator
https://dane.sys4.de/smtp/education.lu
says: "Unusable TLSA Records". Most likely because it is type 1 not allowed
for DANE-SMTP?
I've set hosts_try_dane = * in my SMTP transport.
Exim refuses to talk to those hosts at all with "failure while setting up
TLS session". Is this expected behavior in terms of DANE-SMTP? What's
postfix doing in this case?
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha(a)gmx.net> | http://www.blafasel.at/
Vienna University Computer Center | Austria
[ FYI, from postfix-users ]
> On Dec 14, 2015, at 2:57 PM, Jacob Hoffman-Andrews <jsha(a)eff.org> wrote:
>
> On 12/14/2015 11:23 AM, Viktor Dukhovni wrote:
>> May I ask for your help in providing configuration guidance to LE
>> users who also plan to publish DANE TLSA records.
>
> I'd be happy to help, but am a little constrained on time. If you've got
> time, would you mind posting a quick explanation at
> https://community.letsencrypt.org/c/server-config of why "3 0 1" records
> are risky with LE certificates, and the alternatives? I think the email
> below is a good start, and if you prefer not to create an account on our
> forums I could repost it with permission. I'll then pin the post for
> some time to make people see it.
Thanks.
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
--
Viktor.
