Article <2a80358b905d54efc0d013e95cbcfc64@www.novabbs.com>

Deutsch English Français Italiano
<2a80358b905d54efc0d013e95cbcfc64@www.novabbs.com>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder9.news.weretis.net!news.nk.ca!rocksolid2!i2pn2.org!.POSTED!not-for-mail
From: jaapw <jaapw@talo.nl>
Newsgroups: comp.mail.sendmail
Subject: MTA to MTA and DANE SUPPORT
Date: Mon, 10 Feb 2025 07:37:40 +0000
Organization: novaBBS
Message-ID: <2a80358b905d54efc0d013e95cbcfc64@www.novabbs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org;
	logging-data="3541976"; mail-complaints-to="usenet@i2pn2.org";
	posting-account="3MIgj5wF930HaSrWoa4njAhg88AN4ZVaR32Dqt5niKI";
User-Agent: Rocksolid Light
X-Spam-Checker-Version: SpamAssassin 4.0.0
X-Rslight-Site: $2y$10$Y2XLiuiV3I5Doy4BcwA6DeXpFrnZRDPhqKlJdjsr752RxjydKcdxC
X-Rslight-Posting-User: ae025a0ba15ebaab0fbe5fb06a6b0033f7a9b877
Bytes: 2337
Lines: 38

MTA to MTA and DANE SUPPORT

We use sendmail 8.18.1 with DANE + DNSSEC + STARTTLS as an MTA to MTA
server, and it runs reliable, and it does keep our system save.
However, I would like to clear the verify=TRUSTED matter.
Why does it fail in terms of being TRUSTED or is such a value not
exchanged?

An example from maillog:

INCOMING FROM MICROSOFT relay=mail....protection.outlook.com
    Feb  7 17:10:58 babylon sm-mta[26402]: STARTTLS=server,
    relay=mail-db8eur05on20703.outbound.protection.outlook.com
    [IPv6:2a01:111:f403:2614:0:0:0:703], version=TLSv1.3, verify=OK,
    cipher=TLS_AES_256_GCM_SHA384, bits=256/256

OUTGOING TO mx.microsoft
    Feb  7 19:56:17 babylon sm-mta[28405]: STARTTLS=client,
    relay=xxxxx-nl.r-v1.mx.microsoft., version=TLSv1.3, verify=TRUSTED,
    cipher=TLS_AES_256_GCM_SHA384, bits=256/256

For the above case  e-mail addresses TO and FROM are equal, and
according MS in- and outbound DANE should have been applied, however,
only TO becomes TRUSTED.
Such an asymmetric behaviour occurs quite often at other mail servers
too.
It might be real in quite a number of cases (no DANE).

We use Slackware64 15.0 with sendmail-8.18.1, bind-9.18.33 and
we have a tlsa record + dnssec + startttls + rsa certificates;
(see "delv _25._tcp.mail.talo.nl tlsa +dnssec" ).

If I have understood the sendmail docs correctly, verify=TRUSTED
should apply to both outgoing and incoming e-mail-protocols.

jaapw

-- 
jaapw