Skip to main content

Sending email produce exim log "DANE attempt failed; TLS connection to" error output

Eric Delorme
  • Updated

Symptoms

When trying to send email you see errors as follows in /var/log/exim_mainlog

DANE attempt failed; TLS connection to some.remoteserver.com [10.11.12.13]: (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2021-02-17 13:53:36 1lBezy-007VRC-He == someone@some.remoteserver.com R=lookuphost T=remote_smtp defer (-37) H=some.remoteserver.com [10.11.12.13]: TLS session: (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

 

Description 

This is occurring because the domain has a DANE TLSA record set and is unable to be authenticated.

 

Workaround

There isn't a workaround available as the error is due to the domain owner or the server/systems administrators of that domain itself.

 

You can confirm the domain has a TLSA record by running checking for a TLSA record with _443._tcp prefixed to the domain itself. An example if the domain was somedomain.tld you would run

dig _443._tcp.somedomain.tld TLSA +short

and that ouptut would provide the TLSA record output something like this:

dig _443._tcp.somedomain.tld TLSA +short
3 1 1 C87E73A0AAAA7D5A31E1541B1D5E4E7543D8661DC1D1456C1CD06833 78EB33F0
3 1 1 4652462EE4A3061E801E55C5FA790FD18CAAAAF218DC77BA39C43FC2 F2C80F7A
3 1 1 C4D4C4FFFF6AAAAAE88AD5726529C5B5291E1C149CF96E281F3F72B5 137ACB2D
3 1 1 35A7E78A387B923C772FA7526BD4CCB086AAAAAAAAAAA839412B96C54 5DBA096A
3 1 1 E7A728EBE7EAA929821386427F0D59029A2AAAADA6EBFBF72F13F597 B7B54305
3 1 1 D1AE6E21E71F1DB1D0588EF9E6C788BF22222222224E48B343EEB37A 008F5A6E
3 1 1 8E73333333333295DE44912F6D2AC98FF1E8E60A35954DD9AF6D997A A15AC4E7
3 1 1 2C4776F4BD70CCB7C37AE1D6ABF5BBBBBBBBBBB7A61CB3371BB7127FC A7D054F2
3 1 1 D4538EC5E162F26DDDDDDDDDDCB2850289D30987D8AA92FBAEF7B3B7 5AD96885
3 1 1 5195CEE3A8FE11CD2CEF695DAAAAAAAAAAAAB3F579016D319FD061C91 9478789C

If you see output like this you can then check to see if DANE authentication passes or fails using a site like https://www.huque.com/bin/danecheck-smtp

If authentication fails the domain owner and server administrator needs to fix their domain's TLSA record or remove it altogether. There is no way to work around this locally on the cPanel server.

 

 

Related articles