> On Mar 15, 2021, at 6:24 AM, Heiko Schlittermann via Exim-dev <exim-dev@???> wrote:
>
> If the next hop's hostname comes from insecure DNS, you're right. If the
> next hop's hostname is hard-wired into the configuration (as typically
> found in "use-a-smarthost" setups), I believe, it's useful to check the
> next hop's certificate prior sending credentials or other private data.
Yes, in the absence of MX lookups, the nexthop host is securely
known, and can be validated. This is in fact typical for submission,
where MX lookups don't apply.
Thus a locally configured nexthop of [smtp.example.net]:587 can and should
be subject to TLS certificate checks, and not subjected to CNAME expansion,
unless somebody also has DANE for port 587 (and TLSA records on the far end
of an end-to-end signed CNAME chain).
--
Viktor.
