https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #6 from Phil Pennock <p...@exim.org> --- Viktor notes on exim-users: --- Thanks for bringing this up. Indeed for DANE it is essential to ignore any statically configured value and use the "TLSA base domain". Otherwise, the cert chain you get may well not be the one promised in the TLSA records. Postfix ignores the static SNI setting, when doing DANE. Exim needs to do the same. The required SNI name is specified in RFC7672 (and/or RFC7671), and should not be second-guessed. --- ... in response to my saying we should probably just ignore the static SNI setting for DANE. I also think that we should ignore `multi_domain` and force it false for DANE, in this case. These days it's expanded, and it always defaults true. Any objections to: 1. use the DANE-specified hostname variant as the SNI for DANE, when DANE is in play, ignoring `tls_sni` which then becomes the fallback for non-DANE, same as {hosts_require_tls, tls_verify_hosts, tls_try_verify_hosts, tls_verify_certificates, tls_crl, tls_verify_cert_hostnames} 2. Disabling `multi_domain` when DANE is in play. Really, I'm taking it as a good sign, how much manual configuration disappears because the MTA can just do "the right thing" with DANE. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##