Mailing List Archive

DANE example (Re: Exim & DANE .. status ?)
On 2018-05-22 at 18:09 +0200, Cyborg via Exim-users wrote:
> the german office of security ( BSI ) has given out a policy, that
> secure emailserver should have implemented DANE.
> So, whats the status of DANE for Exim?
> Any usefull selfexplaning examples at hand ? :)

Outbound or inbound? Inbound, once you have TLS configured there's
nothing to do in Exim, it's all in how you configure DNS. Viktor
provided a link to the docs:

For outbound delivery:

Make sure that you have a validating DNS resolver. I use Unbound.

Search for both "dnssec" and "dane" in:

That's the current default Exim configuration in Git, updated since the
last release. Future releases will have the default configuration file
enable DANE as long as Exim was compiled with support.

Relevant parts (line-numbers per "current HEAD" and might change):

228 # The setting below causes Exim to try to initialize the system resolver
229 # library with DNSSEC support. It has no effect if your library lacks
230 # DNSSEC support.
232 dns_dnssec_ok = 1

596 dnslookup:
603 dnssec_request_domains = *

733 remote_smtp:
736 .ifdef _HAVE_DANE
737 dnssec_request_domains = *
738 hosts_try_dane = *
739 .endif

That's it. You tell Exim to try to enable DNSSEC in DNS queries, when
Routing you tell Exim to ask for DNSSEC for all domains, when delivering
you tell Exim to enable DNSSEC for all domains and to try to enable DANE
verification for all outbound connections.

If you want to enable filtered lists of hosts/domains, to work around
known brokenness, then change the `= *` to hostlist patterns in the
usual Exim way, so you can reference files etc. If you want to enable
such workarounds, then try: <>. They link to their
GitHub repository, with current lists. You'll need to automate the
updates of that.

Myself, I don't currently run commercial mail-services, so I just don't
bother exempting anyone. If someone breaks DANE, they lose inbound mail
until they fix it, and it's almost never been an issue. I think I once
saw issues in the queues of for some domain and I reached out
to them separately and it got fixed.


## List details at
## Exim details at
## Please use the Wiki with this list -