Symptoms
Some outbound emails may fail with the following error reported in your Exim Mainlog:
R=dkim_lookuphost T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER
DNS lookup for TLSA failed.
dig +dnssec _25._tcp.domain.com TLSA
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2 <<>> +dnssec _25._tcp.domain.com TLSA
;; global options: +cmd
;; connection timed out; no servers could be reached
Description
Exim will perform a DANE ( DNS-based Authentication of Named Entities ) test automatically by default for domains with DNSSEC enabled.
Exim Configuration - hosts_try_dane
hosts_try_dane | Use: smtp | Type: host list† | Default: * |
This test involves checking if a domain is signed with DNSSEC and then an additional check for a TLSA record in DNS. If a TLSA record is found, this method will be used to authenticate the message. If a record is not found, DANE is skipped. However, the error "tlsa lookup DEFER" is caused by the server failing to return the DNS record. Failing to return the DNS record will cause the message to fail.
Workaround
Currently, cPanel doesn't modify DANE settings and will allow Exim's default values to take precedence. You can resolve this issue in a few different ways.
NOTE: The system administrator may be required to apply these changes as they involve modifying firewall settings or customizing Exim.
1. Update the firewall settings ( Best option )
- Allow TCP and UDP port 53 in the firewall settings to ensure DNS can be returned to the server. Filtering any of the DNS questions could result in a DNS failure.
2. Disable DNSSEC for the domain ( Additional option )
- To disable DNSSEC, you must contact the domain registrar or modify the domain settings in the registrar.
3. Modify Exim settings to disable DANE for all hosts. This requires customizations to the Exim configuration. ( Last resort option to permanently disable hosts_try_dane )
- Set an empty value for option "hosts_try_dane" in file:
/usr/local/cpanel/etc/exim/replacecf/dkim/remote_smtp
- Edit the file to add hosts_try_dane = "" to the end of section remote_smtp and dkim_remote_smtp.
- Rebuild Exim and tidy to clear any defers.
/scripts/buildeximconf
/scripts/exim_tidydb
/scripts/restartsrv_exim - Add the changes to persist in cPanel updates.
echo /usr/local/cpanel/etc/exim/replacecf/dkim/remote_smtp >> /etc/cpanelsync.exclude
Comments
0 comments
Article is closed for comments.