[exim] Failing for DNSSEC lookup

Sun, 20 Mar 2022 12:38:33 -0700 

Hi there,
my exim installation is failing when I try forcing DNSSEC for DANE using "dnssec_require_domains" for any domain. 


I tried to solve this riddle but failed, so I ask you to please solve it 
for me or give me hints what I can try to further debug it. Following 
are the informations I already have.




Example from "exim -bd -d-all+route+transport+dns" when forced in the 
router:


--------> dnslookup_secure router <--------
local_part=dnssectest1 domain=mailbox.org
checking domains
R: dnslookup_secure for [email protected]
calling dnslookup_secure router
dnslookup_secure router called for [email protected]
  domain = mailbox.org
DNS lookup of mailbox.org (MX) succeeded
dnslookup_secure router: defer for [email protected]
  message: host lookup done insecurely

added retry item for R:[email protected]: errno=-1 more_errno=0 
flags=0

LOG: MAIN

  == [email protected] R=dnslookup_secure defer (-1): host lookup 
done insecurely


or if forced in the transport:

routed by dnslookup_secure router
  envelope to: [email protected]
  transport: remote_smtp_secure
  host mx2.mailbox.org [2001:67c:2050:104:0:2:25:1] MX=10 dnssec=no
  host mx1.mailbox.org [2001:67c:2050:104:0:1:25:1] MX=10 dnssec=no
  host mx2.mailbox.org [80.241.60.215] MX=10 dnssec=no
  host mx1.mailbox.org [80.241.60.212] MX=10 dnssec=no
  host mx3.mailbox.org [2001:67c:2050:104:0:3:25:1] MX=20 dnssec=no
  host mx3.mailbox.org [80.241.60.216] MX=20 dnssec=no
  host mx-n.mailbox.org [91.198.250.17] MX=50 dnssec=no



DNS server used is a system local installation of unbound which to my 
knowledge works and validates correctly, e.g.


chris@momos:~$ unbound-host -vDr mailbox.org
mailbox.org has address 80.241.60.194 (secure)
mailbox.org has IPv6 address 2001:67c:2050:106::443:194 (secure)
mailbox.org mail is handled by 10 mx1.mailbox.org. (secure)
mailbox.org mail is handled by 50 mx-n.mailbox.org. (secure)
mailbox.org mail is handled by 20 mx3.mailbox.org. (secure)
mailbox.org mail is handled by 10 mx2.mailbox.org. (secure)


For exim it doesn’t matter if dns_dnssec_ok = 1 is set or not in exim4.conf.

Configuration: exim 4.94.2 on Debian Bullseye, GnuTLS 3.7.1

Best regards,
Christian



Attachment:
OpenPGP_0xC37B23FE39081C53.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to