https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #4 from Phil Pennock <[email protected]> --- (Patch is reversed.) The issue I see is that we don't switch transports based upon DANE or not, or have a way to skip a router if DANE fails (since that's something for later, at SMTP time, when checking hosts). So there's no (sane?) way to have a config which has tls_sni set to something based on "possible expansion lookup" and still have the option be unset for the DANE scenario. I see two approaches here: 1. a. Allow for forced-fail expansion and empty expansion, to mean defaults too b. Add a new expansion variable, $dane_active or somesuch (since $tls_out_dane is set much later, I think?) 2. Say "DANE always uses the SNI set per DANE specs" and force-override, always. IMO 2 is simpler and easier. (Sorry that I haven't gotten to this myself) My assumption is that people who care about SMTP security will have manual overrides for a bunch of domains, as I do, but want DANE to provide automatic improved security when available. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
