For the record, the expectation is:
- Absent DANE TLSA records, the literal MX hostname, which is
of course insecurely obtained from MX records, so validation
is mostly an exercise in futility. It would only mean something
if MTA-STS were implemented, but Exim does not MTA-STS last I
heard.
- If DANE TLSA records are found at some "TLSA base domain"
(which is either the securely CNAME expanded MX host, or else
the original MX host from the signed MX RRset), then that's
the name to use in SNI and check in the certificate when validating
"2 X X" TLSA records).
> On Mar 13, 2021, at 8:56 AM, admin--- via Exim-dev <exim-dev@???> wrote:
>
> Checked in real-world and it seems to work as expected. The router sets the
> host to smtp.office365.com, DNS CNAMES redirect to a bunch of other names which
> in turn resolve to addresses.
>
> The certificate the peers present match the hostname of the router and Exim
> now can verify that.
--
Viktor.
