to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
DNSSEC.
2) add TLSA DNS records. These say what the server certificate for a TLS connection should be.
-3) offer a server certificate, or certificate chain, in TLS connections which is traceable to the one
-defined by (one of?) the TSLA records
+3) offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records.
There are no changes to Exim specific to server-side operation of DANE.
Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes
those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
-For client-side DANE there are two new smtp transport options, &%hosts_try_dane%& and &%hosts_require_dane%&.
-The latter variant will result in failure if the target host is not DNSSEC-secured.
+For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%&
+and &%dane_require_tls_ciphers%&.
+The require variant will result in failure if the target host is not DNSSEC-secured.
DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
+If DANE is requested and usable, then the TLS cipher list configuration
+prefers to use the option &%dane_require_tls_ciphers%& and falls
+back to &%tls_require_ciphers%& only if that is unset.
+This lets you configure "decent crypto" for DANE and "better than nothing
+crypto" as the default. Note though that while GnuTLS lets the string control
+which versions of TLS/SSL will be negotiated, OpenSSL does not and you're
+limited to ciphersuite constraints.
+
If DANE is requested and useable (see above) the following transport options are ignored:
.code
hosts_require_tls
daemon_smtp_ports string unset main 1.75 pluralised in 4.21
daemon_startup_retries int 9 main 4.52
daemon_startup_sleep time 30s main 4.52
+dane_require_tls_ciphers string* unset smtp 4.91
data string unset redirect 4.00
data_timeout time 5m smtp
debug_print string* unset authenticators 4.00
unset routers 4.00
unset transports 2.00
-debug_store boolean false main 4.90
+debug_store boolean false main 4.90
delay_after_cutoff boolean true smtp
delay_warning time list 24h main
delay_warning_condition string* + main 1.73
hosts_randomize boolean false manualroute 4.00
false smtp 3.14
hosts_require_auth host list unset smtp 4.00
+hosts_require_dane host list unset smtp 4.91 (4.85 experimental)
hosts_require_ocsp host list unset smtp 4.82 if experimental_ocsp
hosts_require_tls host list unset smtp 3.20
hosts_treat_as_local domain list unset main 1.95
hosts_try_auth host list unset smtp 4.00
+hosts_try_dane host list unset smtp 4.91 (4.85 experimental)
hosts_try_fastopen host list unset smtp 4.88
hosts_try_prdr host list unset smtp 4.82 if experimental_prdr
ibase_servers string unset main 4.23
git://git.exim.org / exim.git / commitdiff