Hello all, I am trying to configure Exim to try DANE before deciding to deliver unencrypted mail to remote hosts.
My general configuration has: dns_dnssec_ok = 1 And for the remote_smtp transport: hosts_try_dane = * dnssec_request_domains = * My system dns resolver verifies dnssec, "dig do.havedane.net" has the "ad" flag set. Despite all this, havedane.net reports: Email to domain with invalid DANE delivered. I then test with requiring verification: hosts_require_dane = * This results in a failure for all three tests, for instance: R=dnslookup T=remote_smtp: DANE error: do.havedane.net lookup not DNSSEC I've confirmed I can get a DNSSEC validated record for do.havedane.net via dig, so why does Exim suggest otherwise? Thanks, Dominic. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
