Discussion:
MTA to MTA and DANE SUPPORT
Add Reply
jaapw
2025-02-10 07:37:40 UTC
Reply
Permalink
MTA to MTA and DANE SUPPORT

We use sendmail 8.18.1 with DANE + DNSSEC + STARTTLS as an MTA to MTA
server, and it runs reliable, and it does keep our system save.
However, I would like to clear the verify=TRUSTED matter.
Why does it fail in terms of being TRUSTED or is such a value not
exchanged?

An example from maillog:

INCOMING FROM MICROSOFT relay=mail....protection.outlook.com
Feb 7 17:10:58 babylon sm-mta[26402]: STARTTLS=server,
relay=mail-db8eur05on20703.outbound.protection.outlook.com
[IPv6:2a01:111:f403:2614:0:0:0:703], version=TLSv1.3, verify=OK,
cipher=TLS_AES_256_GCM_SHA384, bits=256/256

OUTGOING TO mx.microsoft
Feb 7 19:56:17 babylon sm-mta[28405]: STARTTLS=client,
relay=xxxxx-nl.r-v1.mx.microsoft., version=TLSv1.3, verify=TRUSTED,
cipher=TLS_AES_256_GCM_SHA384, bits=256/256

For the above case e-mail addresses TO and FROM are equal, and
according MS in- and outbound DANE should have been applied, however,
only TO becomes TRUSTED.
Such an asymmetric behaviour occurs quite often at other mail servers
too.
It might be real in quite a number of cases (no DANE).

We use Slackware64 15.0 with sendmail-8.18.1, bind-9.18.33 and
we have a tlsa record + dnssec + startttls + rsa certificates;
(see "delv _25._tcp.mail.talo.nl tlsa +dnssec" ).

If I have understood the sendmail docs correctly, verify=TRUSTED
should apply to both outgoing and incoming e-mail-protocols.

jaapw
--
jaapw
Claus Aßmann
2025-02-10 08:38:30 UTC
Reply
Permalink
Post by jaapw
For the above case e-mail addresses TO and FROM are equal, and
according MS in- and outbound DANE should have been applied, however,
"according to MS" .....
Post by jaapw
only TO becomes TRUSTED.
DANE only applies to client mode ("outgoing").
Post by jaapw
If I have understood the sendmail docs correctly, verify=TRUSTED
should apply to both outgoing and incoming e-mail-protocols.
Please point out where it says that so it can be fixed.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
jaapw
2025-02-10 08:59:20 UTC
Reply
Permalink
Post by jaapw
If I have understood the sendmail docs correctly, verify=TRUSTED
should apply to both outgoing and incoming e-mail-protocols.
Please point out where it says that so it can be fixed.

I got the impression that the verify() function did apply tp both.
Probably it was a misreading.

However, the mail which was send to me could check my tlsa record, and
he
would send trusted to me, but I have no mean to his trusted DANE state.

That's a pity, so only verify=OK

Thanks,

jaapw

PS 8.18.1.9 did build OK on Slackware64-15.0
--
jaapw
Loading...