https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #4 from Phil Pennock <pdp@???> ---
(Patch is reversed.)
The issue I see is that we don't switch transports based upon DANE or not, or
have a way to skip a router if DANE fails (since that's something for later, at
SMTP time, when checking hosts). So there's no (sane?) way to have a config
which has tls_sni set to something based on "possible expansion lookup" and
still have the option be unset for the DANE scenario.
I see two approaches here:
1.
a. Allow for forced-fail expansion and empty expansion, to mean defaults too
b. Add a new expansion variable, $dane_active or somesuch (since
$tls_out_dane is set much later, I think?)
2. Say "DANE always uses the SNI set per DANE specs" and force-override,
always.
IMO 2 is simpler and easier. (Sorry that I haven't gotten to this myself)
My assumption is that people who care about SMTP security will have manual
overrides for a bunch of domains, as I do, but want DANE to provide automatic
improved security when available.
--
You are receiving this mail because:
You are on the CC list for the bug.
