https://bugs.exim.org/show_bug.cgi?id=2266
--- Comment #3 from Phil Pennock <[email protected]> --- (In reply to jasen Betts from comment #2) > Why use '$domain' (domain of the rcpt(s) may be empty, will usually be wrong > for delivery via smarthost) > instead of '$host' (domain of the MX, A, or smarthost)? Because unless you have DNSSEC, $host is derived via insecure means, the DNS. DNSSEC means that DNS becomes secure for our purposes. If you have DNSSEC and want $host sent, then publish TLSA records to enable DANE, and the other tracking bug will cover our fixing Exim to honor those for selecting the SNI value to send. There is never any point in setting TLS SNI to a value which you are not willing to validate as being correct, referring back to a trusted path of input. If some people run self-signed without SNI but CA-signed with SNI, then that's a bug, but for MTAs delivering to MX it makes no difference because by default MX TLS *IS NOT VALIDATED*. So, no DNSSEC, need a value, needs to be tied back to the recipient in a trustworthy way, thus $domain is all we have to go on. It's not good. It's simply the least bad option available. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
