https://bugs.exim.org/show_bug.cgi?id=2624
--- Comment #3 from Jason Gunthorpe <[email protected]> --- 4.94 fails too, but the commit linked to bug 2594 is not in 4.94, so I will try building from source as it does look like the right fix (give me a bit to get this done). Regarding standards, bug 2594 has a good quote from the SMTP RFC: - A SMTP client would probably only want to authenticate an SMTP server whose server certificate has a domain name that is the domain name that the client thought it was connecting to. In my particular case the manualroute is choosing a transport with authentication enabled, so the above applies. In terms of Exim, when the above says "the domain name that the client thought it was connecting to" it means the route_data in the manualroute. This specifies the "domain name" that Exim is to allowed to send the authentication to. The problem here is that DNS is insecure and it is not so hard to inject a CNAME response into Exim. With authentication turned on this means someone can steal the authentication secret. I think it is understandable why this is bad. I recommend backporting this patch into earlier releases. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
