Re: [exim] Exim 4.94.2 - security update released (DANE fix)

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: Heiko Schlittermann
CC: exim-users
Alte Treads: [exim] Exim 4.94.2 - security update released
Betreff: Re: [exim] Exim 4.94.2 - security update released (DANE fix)

The DANE fix:

-            ob->tls_sni = sx->first_addr->domain;    /* force SNI */
+                       ob->tls_sni = sx->conn_args.host->name; /* force SNI */


replaces the recipient domain with the MX hostname.

When the MX host is a CNAME, is that necessarily the same as
the TLSA base domain?

How does Exim handle MX hosts that are CNAMEs? Are fully
expanded (secure at every step, with fallback to the original
name) CNAMEs used for TLSA lookups (per RFC7672?)?

-- 
    Viktor.