Exim and DANE validation - aka outbound DANE

[Driesp]

Hi all

I have been searching this forum looking for the required parameters to enable exim doing outbound DANE validation.
With outbound DANE validation I mean exim validating the certificate of the server receiving our e-mail.

Before I enable inbound DANE, I would like to enable outbound DANE.

For outbound DANE, you need to use a DNSSEC validating resolver and enable DANE in exim.
For inbound DANE, you need to enable DNSSEC on your domainname and add TLSA dns records for the corresponding MX records.

Thank you for your time.
Kind regards
Dries

 

[mxroute]

I have not tested this, but my understanding is that this works in exim 4.91+. Make backups of the files or be prepared to undo this quickly if it fails as, again, I have not tested this.

Place this line in /etc/exim.strings.conf.custom:

dns_dnssec_ok = 1

And then add this line to the top of /etc/exim.dkim.conf:

hosts_try_dane = *

The idea here is to use the includes to put those where they need to be, so they stay in place during exim.conf updates. Keep in mind if syntax changes, this can break exim until you fix it.