1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • MTA to MTA and DANE SUPPORT

    From jaapw@21:1/5 to All on Mon Feb 10 07:37:40 2025
    MTA to MTA and DANE SUPPORT

    We use sendmail 8.18.1 with DANE + DNSSEC + STARTTLS as an MTA to MTA
    server, and it runs reliable, and it does keep our system save.
    However, I would like to clear the verify=TRUSTED matter.
    Why does it fail in terms of being TRUSTED or is such a value not
    exchanged?

    An example from maillog:

    INCOMING FROM MICROSOFT relay=mail....protection.outlook.com
    Feb 7 17:10:58 babylon sm-mta[26402]: STARTTLS=server,
    relay=mail-db8eur05on20703.outbound.protection.outlook.com
    [IPv6:2a01:111:f403:2614:0:0:0:703], version=TLSv1.3, verify=OK,
    cipher=TLS_AES_256_GCM_SHA384, bits=256/256

    OUTGOING TO mx.microsoft
    Feb 7 19:56:17 babylon sm-mta[28405]: STARTTLS=client,
    relay=xxxxx-nl.r-v1.mx.microsoft., version=TLSv1.3, verify=TRUSTED,
    cipher=TLS_AES_256_GCM_SHA384, bits=256/256

    For the above case e-mail addresses TO and FROM are equal, and
    according MS in- and outbound DANE should have been applied, however,
    only TO becomes TRUSTED.
    Such an asymmetric behaviour occurs quite often at other mail servers
    too.
    It might be real in quite a number of cases (no DANE).

    We use Slackware64 15.0 with sendmail-8.18.1, bind-9.18.33 and
    we have a tlsa record + dnssec + startttls + rsa certificates;
    (see "delv _25._tcp.mail.talo.nl tlsa +dnssec" ).

    If I have understood the sendmail docs correctly, verify=TRUSTED
    should apply to both outgoing and incoming e-mail-protocols.

    jaapw

    --
    jaapw

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From jaapw@21:1/5 to All on Mon Feb 10 08:59:20 2025
    If I have understood the sendmail docs correctly, verify=TRUSTED
    should apply to both outgoing and incoming e-mail-protocols.

    Please point out where it says that so it can be fixed.

    I got the impression that the verify() function did apply tp both.
    Probably it was a misreading.

    However, the mail which was send to me could check my tlsa record, and
    he
    would send trusted to me, but I have no mean to his trusted DANE state.

    That's a pity, so only verify=OK

    Thanks,

    jaapw

    PS 8.18.1.9 did build OK on Slackware64-15.0

    --
    jaapw

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to jaapw on Mon Feb 10 03:38:30 2025
    jaapw wrote:

    For the above case e-mail addresses TO and FROM are equal, and
    according MS in- and outbound DANE should have been applied, however,

    "according to MS" .....

    only TO becomes TRUSTED.

    DANE only applies to client mode ("outgoing").

    If I have understood the sendmail docs correctly, verify=TRUSTED
    should apply to both outgoing and incoming e-mail-protocols.

    Please point out where it says that so it can be fixed.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)