On 30 Oct 2021, at 10:13, Viktor Dukhovni via Exim-users <exim-users@???> wrote: > The only reason to abort the handshake on verification failure is if you
> insist on a secure connection, and then you'd better not fall back to
> cleartext which would be just absurd. Either require a secure
> connection, or don't, ... the combination of behaviours makes no sense.
>
> Yes, Exim currently makes it possible, but that such booby traps for the
> user are design errors, when they're not (as in this case) just
> implementation bugs.
There is one less obvious use for that combination: informative logging. Knowing the verification status is still helpful, even if you don’t actually need it for policy.
But, yes, you’re right that tls_verify_hosts should never intersect with hosts you actually intend to use TLS with in spite of verification failure. It’s not obvious and it probably ought to be written down somewhere so somebody doesn’t fall over it.