Viktor Dukhovni via Exim-dev <exim-dev@???> (So 14 Mär 2021 14:33:21 CET):
> For the record, the expectation is:
>
> - Absent DANE TLSA records, the literal MX hostname, which is
> of course insecurely obtained from MX records, so validation
> is mostly an exercise in futility. It would only mean something
> if MTA-STS were implemented, but Exim does not MTA-STS last I
> heard.
If the next hop's hostname comes from insecure DNS, you're right. If the
next hop's hostname is hard-wired into the configuration (as typically
found in "use-a-smarthost" setups), I believe, it's useful to check the
next hop's certificate prior sending credentials or other private data.
--
Heiko
