On 2024-07-07 Wolfgang <[email protected]> wrote: [...] > Problem occurs in sending mails to a DANE protected MX, under certain > conditions. [...]
Hello, I have read through all the messages on exim-user and afaict the whole issue was diagnosed as not using DANE at all for lack of dnssec. [email protected] From: Jeremy Harris: | 12:41:19 21110 host mx06.et.lindenberg.one [85.215.77.84] MX=16 dnssec=no | ^^^^^^^^^ [email protected] by Viktor Dukhovni: | But does glibc strip the AD bit when processing the response? Do you | have "options trust-ad" in /etc/resolv.conf? As another datapoint lists.gentoo.org also has a '2 1 1' TLSA record and I can successfully deliver there with successfull dane certificate valdation there (CV=dane in the logline). That is with a DNS resolver that does dnssec, the respective changes to glibc resolver configuration, and on exim's side dns_dnssec_ok. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
