With the help of Wolfgang B and Jeremy we could resolve the issue. It was introduced in d8e99d6047e709b35eabb1395c2046100d1a1dda and relates to Exim Bug 2265 https://bugs.exim.org/show_bug.cgi?id=2265
Several conditions had to be met to trigger this bug.
- The MX of the recipient's domain supports DANE (TLSA and DNSSEC)
atvirtual.net MX 1 serv02.atvirtual.eu.
~~~ EU!
- The MX of the recipient's domain responds to the SNI with the
recipient's domain with a certificate
openssl s_client \
-starttls smtp \
-connect serv02.atvirtual.eu:25 \
-servername atvirtual.net \
-dane_tlsa_rrdata "3 1 1
7e95e999da41cdd250eb3f97c397bfdb087aeab914edbdf1b5b6c49457923048" \
-dane_tlsa_domain "serv02.atvirtual.eu"
that doesn't match the TLSA record propagated for the MX:
_25._tcp.serv02.atvirtual.eu. 3600 IN TLSA 3 1 1
7E95E999DA41CDD250EB3F97C397BFDB087AEAB914EDBDF1B5B6C494 57923048
As far as I understand, that's totally legal. It was our fault to set
the SNI to the recipient's domain (atvirtual.net), instead of the target
host (serv02.atvirtual.eu).
Unfortunately the error message wasn't too helpful, especially the phrase
"error in error":
Dane verify_cert
verify_callback_client_dane: BAD depth 1 /C=BE/O=GlobalSign
nv-sa/CN=AlphaSSL CA - SHA256 - G2
- err 20 'unable to get local issuer certificate'
SSL3 alert write:fatal:unknown CA
* SSL_connect: error in error
Dane lib-cleanup
TLS error '(SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed'
TLS session fail: (SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
LOG: MAIN
DANE attempt failed; TLS connection to serv02.atvirtual.eu
[185.206.180.72]: (SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
I'm not sure if Exim can be improved here, of if we've to accept it. Though,
the command line is a bit more expressive here:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
5D360ACF25EFD293AFA569AA64BDD24F142B863C98941873164E754D3ADDA8D5
Session-ID-ctx:
Master-Key:
D2CC6C4D469A87CC0E4C45EC9418299A3D25EE36497BFFF6C0BA594F883AF998F6A77B55BB5CF89DD3C52BE08D566E90
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1620059017
Timeout : 7200 (sec)
Verify return code: 65 (No matching DANE TLSA records)
Extended master secret: no
For the upcoming 4.94.2 a patch is part of the 4.94.2+fixes branch
already. It will be cherry-picked to master soon.
Thank you again for your fast response yesterday.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
