Viktor Dukhovni via Exim-dev <exim-dev@exim.org> (So 14 Mär 2021 14:33:21 CET): > For the record, the expectation is: > > - Absent DANE TLSA records, the literal MX hostname, which is > of course insecurely obtained from MX records, so validation > is mostly an exercise in futility. It would only mean something > if MTA-STS were implemented, but Exim does not MTA-STS last I > heard.
If the next hop's hostname comes from insecure DNS, you're right. If the next hop's hostname is hard-wired into the configuration (as typically found in "use-a-smarthost" setups), I believe, it's useful to check the next hop's certificate prior sending credentials or other private data. -- Heiko
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##