Hi,
I just updated the github wiki page
The text was:
**If**, and _only_ if, the DNS resolver does not validate by default, then you
need to ensure that your queries are marked as requiring DNSSEC.
On some platforms, this can be done with an option in `/etc/resolv.conf` but in
all cases, in Exi
Hello Viktor, Hello Andrew,
looks like, I have not clearly enough stated in my last mails, that SNI is not
longer an issue.
After the options trust-ad thing, and restarting everthing, SNI worked.
> Red herring, due to a flawed test. The SNI issue remains unresolved.
And in the meanwhile Andrew
--
In Antwort auf die folgende Mail
From: Andrew C Aitchison via Exim-users
To: Wolfgang
Cc: exim-users@lists.exim.org
Subject: [exim] Re: GnuTLS and Dane-Problem finally solved
Date:Sat, 13 Jul 2024 21:08:44 +0100 (BST)
>>
>> Ok, I compared the the certs again and they just look
Hello Viktor, Hello Jeremy,
and all others helping me, to find the problem with my exim not able to deliver
to the
https://blog.lindenberg.one/EmailSecurityTest .
I tried now a lot of things, and learned a lot about debugging this kind of
error.
As the biggest problem lies into the test-mecha
Viktor Dukhovni via Exim-users
To: exim-users@lists.exim.org
Cc:
Subject: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
Date:Mon, 8 Jul 2024 23:29:40 +1000
On Mon, Jul 08, 2024 at 03:02:35PM +0200, Wolfgang via Exim-users wrote:
> >Perhaps the issue is as mundane as y
Hello,
to the Non-SNI Issue one question:
Why is exim not using SNI for every TLS connection, which got established? SNI
is helpful even far
away from DANE for message routing, multiplexing MX and other stuff.
If there are some caveats with this, there could be an option: HOSTS_AVOID_SNI,
mayb
Hello Viktor,
thanks for your valuable assistance.
>Author: Viktor Dukhovni via Exim-users
>Date: 2024-07-08 04:30 +200
>To: exim-users
>Old-Topics: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!,
>[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!, [exim] Re:
>Problems wi
Hello,
I just use another subject for the SNI issue, as this seems to be independent
from the
DANE-Problem with GNU-TLS.
As it looks right now this causes the DANE-Problem, as the testserver gives
another cert,
when no SNI is sent and that cert reveals the problems with GNU-TLS.
But now I have
Thanks Viktor and Jeremy for your assistance!
So Victor just told, that the SNI problem is related to the crypto fail problem.
So for Jeremys questions:
"exim -bP transport remote_smtp | grep dane"
responds with:
dane_require_tls_ciphers =
hosts_require_dane =
hosts_try_dane = *
which shou
Hello Jeremy,
thanks for this very helpful hint!
> Actual debug output from the Exim system. I pointed out how best
> to do that on the 2nd (assuming that the Exim system is the
> accepting end for the connection).
> [ In case it's an outbound connection at issue, a simple way to get
> debug
Hello all,
First a thanks to Viktor, for his mail with the excellent script, empowering
openssl s_client!
Second a short update, what I tested here:
1) SETUP NEW CLEAN TESTENVIRONMENT
--
I have set up a virtual server with its own sub-domain, completly DANE,DKIM,
Hello,
still trying to debug, why my exim is denying connection to mx06.lindenberg.one
(see:https://blog.lindenberg.one/EmailSecurityTest
)
I am much more familar with openssl, but debian-exim is linked against gnu-tls,
so I started digging
in gnttls binary tools also. Unfortunately gnutls-cli
On 2024-07-03 01:12, Viktor Dukhovni via Exim-users wrote:
...
> It is time to post the actual certificate chain (without the private key
> of course), or if this a remote server anyone can connect to,
> alternatively the hostname (and port, if not 25) of the remote server.
>
> The information yo
Hello,
On 2024-07-02 20:20, Jeremy Harris wrote:
>
> If that's all you added, it's because you didn't actually define an
> option called "acl_smtp_starttls" - only an ACL called that.
>
>
thanks, I knew, that I have missed something.
But unfortunately that does not help, as I see now only som
Hello Chris,
Thanks for your hint, but that does not work. I have already used openssl
s_client to extract the
whole certification chain, and I can confirm, that the DANE RR is valid.
The DANE RR signs the key of the letsencrypt intermediate, which signs the
cert, the MX uses.
this last cert
Hello all,
to debug, why the valid CERT is not accepted for a DANE verified outbound
connection, I tried to
enable debugging via ACL:
>acl_smtp_starttls:
> accept
> message = TLS debug started
> logwrite = TLS debugging acl triggered
> control = debug
> c
On 2024-07-01 10:41, Viktor Dukhovni via Exim-users wrote:
> On Sun, Jun 30, 2024 at 11:32:58PM +0200, Wolfgang via Exim-users wrote:
>
> > I have problems connecting DANE configured hosts, when the MX has a
> > correct TLSA-RR but an valid certificate (letsencrypt) wit
Hello,
I have problems connecting DANE configured hosts, when the MX has a correct
TLSA-RR but an
valid certificate (letsencrypt) with the wrong CN.
I cases with self-signed certs and correct TLSA-RR there are no problems. With
the correct CN in an
valid certificate and correct TLSA-RR everythin
18 matches
Mail list logo
