Cannot get Exim to verify DANE for remote smtp

Question

I am trying to configure Exim to try DANE before deciding to deliver unencrypted mail to remote hosts.

My general Exim configuration has: dns_dnssec_ok = 1.

For the dnslookup router: dnssec_request_domains = *

And for the remote_smtp transport:

hosts_try_dane = *
dnssec_request_domains = *

My system dns resolver verifies dnssec, dig do.havedane.net has the ad flag set.

Despite all this, havedane.net reports: Email to domain with invalid DANE delivered.

I then try requiring verification: hosts_require_dane = *

This results in a failure for all three tests, for instance:

R=dnslookup T=remote_smtp: DANE error: do.havedane.net lookup not DNSSEC

I've confirmed I can get a DNSSEC validated record for do.havedane.net via dig, so why does Exim suggest otherwise?

Answer 1

Did you ever found a solution to this problem? I have the exact same experience. I have now commented out # hosts_try_dane = * since that seems to be the only way to receive mail from non-TLSA valid senders. I must say, the exim 4 documentation must be among the worst written man-pages I've ever encountered, full of double negatives in config, unclear which conf file is even used for what in which circumstance, it's a can of worms.

I will probably switch back to postfix because of this.

Answer 2

I solved it in the end. Removing the systemd-resolved package in Ubuntu also removes the options edns0 trust-ad line from /etc/resolv.conf. Restoring this line enabled Exim to lookup DANE for remote hosts once more.